Save to Keychain is enabled by default

fanzeyi's Avatar

fanzeyi

17 Oct, 2017 09:53 PM

Which of our tools is giving you problems?

Pinentry. Same issue as Andy mentioned in https://gpgtools.tenderapp.com/discussions/feedback/4097-save-to-ke... . His post is closed so I made this one.

Attach a screenshot of the version info for all installed components (how to: https://gpgtools.tenderapp.com/kb/faq/where-can-i-find-version-info...):

See attachment below

Describe your problem. Add as much detail as possible.

After upgrading to the latest version of GPGTools recently, the passphrase dialog started to check "Save in Keychain" by default.

What did you expect instead

The "Save in Keychain" checkbox is unchecked by default.

Describe steps leading to the problem.

Any place that would trigger a pinentry dialog. In my case, git commit.


It is pretty annoying to have this option checked. It would make people accidentally save their GPG password in macOS's keychain - which is protected with the macOS's login password. Personally, I have a much weaker login password for convenience, and if this password is compromised, anyone can have the plaintext of my GPG password from macOS's keychain.

I have also looked into the source code and I found this, which prompts me to check the defaults in my system. Here is the result:

$ defaults read org.gpgtools.common
{
    keyservers =     (
        "hkp://pgp.mit.edu"
    );
}

No option of SaveInKeychain is specified in my system. Also, a temporary solution to disable this behavior is to run following command:

defaults write org.gpgtools.common UseKeychain false

This makes me suspect that if this option is not specified in default, GPGTools would get true instead of false. This behavior (or, bug) might be introduced by recent macOS update (High Sierra).


I tried to run defaults delete org.gpgtools.common UseKeychain and the "Save in Keychain" checkbox is checked by default again.


Okay, found this commit. So it is intended. As I mentioned above, anyone who has the access to the macOS's login password will have the access to the plaintext stored in Keychain.app. Even if you want to promote this feature, please at least implement some kind of remembering last choice behavior. Or people like me who doesn't want to store their password in keychain would need to uncheck it every time (or spending time investigate until finding that option).

  1. Support Staff 1 Posted by Luke Le on 18 Oct, 2017 09:22 AM

    Luke Le's Avatar

    Hi fanzeyi,

    we have changed this default since we found that it makes handling passphrases a lot easier for many of our users. But you can of course change the default in System Preferences -> GPG Suite

    Hope that helps.

    P.S.: Nice investigation :)

  2. 2 Posted by gpg_dude on 21 Oct, 2017 10:39 PM

    gpg_dude's Avatar

    @luke le: we've noticed this too and unfortunately while it may make things easier in the short run - it can seriously compromise the security of the GPG passphrase as many users sync their keychains to iCloud (often without realizing it since Apple likes to make this the default during setup). Would it be possible to persuade you to change the default back to having it unchecked - or perhaps adding a step during installation/upgrade that at least prompts & asks the user whether or not they'd like enabled - perhaps with a brief explanation of the risks of doing so?

    I also just realized I had already created an issue for this here: https://gpgtools.tenderapp.com/discussions/problems/59031-gpgtools-...

  3. 3 Posted by anon on 04 Nov, 2017 11:28 PM

    anon's Avatar

    I agree with gpg_dude that the save to Keychain box should NOT be checked by default. I accidentally saved my key to Keychain without realizing it, and this created a security vulnerability for me. Security should be the highest priority with a product such as gpg.

  4. Support Staff 4 Posted by Steve on 10 Dec, 2017 04:55 PM

    Steve's Avatar

    We have a ticket for this problem. I connected this discussion with the existing ticket. That means, should this discussion get closed, it will be re-opened as soon as the ticket is closed. That way you'll stay in the loop and get notified as soon as we have news. Feel free to open a new discussions should you run into further problems or need assistance.

    The idea is to explicitly ask the user and inform them about the pros and cons of storing the password in macOS keychain.

    Kindly,
    steve

  5. 5 Posted by Matt Martini on 24 Jan, 2018 10:43 PM

    Matt Martini's Avatar

    I agree with fanzeyi and Steve that saving to the Apple Keychain should NOT be the default. If you want to add connivence for users, give them a first-use pop-up that directs them to preferences -> settings. You should always default to a position of higher security.

  6. Support Staff 6 Posted by Steve on 25 Jan, 2018 11:06 AM

    Steve's Avatar

    Thanks for your input Matt. I've added your vote and input to the open ticket.

  7. 7 Posted by gpg_dude on 26 Mar, 2018 04:25 PM

    gpg_dude's Avatar

    Hey Steve - any update on the ticket for this?

  8. Support Staff 8 Posted by Steve on 26 Mar, 2018 04:34 PM

    Steve's Avatar

    Sorry, not yet. As always we will keep you posted as we have news.

  9. 9 Posted by gpg_dude on 26 Mar, 2018 04:36 PM

    gpg_dude's Avatar

    Is there any way to bump it? I recently sat with some folks I helped get up on GPGmail a year ago and several of them had no idea what their GPG passphrase was because "one day it just stopped asking me for it, but encryption kept working"

  10. Support Staff 10 Posted by Luke Le on 28 Mar, 2018 01:36 PM

    Luke Le's Avatar

    Hi gpg_dude and others,

    this issue is high on our priority list for the setup wizard we are currently planning on developing. Unfortunately at the end of last year our development and distribution infrastructure broke down and it took us quite some time to get it up and running again, which set us back longer than expected.

    While we absolutely agree that this can be a security issue for some, we most often hear from our users that they don't know what their GPG passphrase is and that they can't remember it. Depending on your data that can be a much more problematic situation to be in. So a setup wizard where the user is alerted to the possible consequences of the "store passphrase" choice is definitely the way to go.
    I'd like to believe that users who have more serious thread levels to consider will be able to find the option where to disable this preference.

  11. Steve closed this discussion on 18 Jul, 2018 02:01 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac