tag:gpgtools.tenderapp.com,2011-11-04:/discussions/problems/60232-save-to-keychain-is-enabled-by-defaultGPGTools: Discussion 2018-07-18T14:02:00Ztag:gpgtools.tenderapp.com,2011-11-04:Comment/437925112017-10-17T21:53:31Z2017-10-17T22:05:37ZSave to Keychain is enabled by default<div><p><strong>Which of our tools is giving you problems?</strong></p>
<p>Pinentry. Same issue as Andy mentioned in <a href="https://gpgtools.tenderapp.com/discussions/feedback/4097-save-to-keychain-is-enabled">https://gpgtools.tenderapp.com/discussions/feedback/4097-save-to-ke...</a> . His post is closed so I made this one.</p>
<p><strong>Attach a screenshot of the version info for all installed components (how to: <a href="https://gpgtools.tenderapp.com/kb/faq/where-can-i-find-version-info-of-the-installed-tools">https://gpgtools.tenderapp.com/kb/faq/where-can-i-find-version-info...</a>):</strong></p>
<p><em>See attachment below</em></p>
<p><strong>Describe your problem. Add as much detail as possible.</strong></p>
<p>After upgrading to the latest version of GPGTools recently, the passphrase dialog started to check "Save in Keychain" by default.</p>
<p><strong>What did you expect instead</strong></p>
<p>The "Save in Keychain" checkbox is unchecked by default.</p>
<p><strong>Describe steps leading to the problem.</strong></p>
<p>Any place that would trigger a pinentry dialog. In my case, git commit.</p>
<hr>
<p>It is pretty annoying to have this option checked. It would make people accidentally save their GPG password in macOS's keychain - which is protected with the macOS's login password. Personally, I have a much weaker login password for convenience, and if this password is compromised, anyone can have the plaintext of my GPG password from macOS's keychain.</p>
<p>I have also looked into the source code and I found <a href="https://github.com/GPGTools/pinentry-mac/blob/master/Source/PinentryController.m#L35">this</a>, which prompts me to check the defaults in my system. Here is the result:</p>
<pre>
<code>$ defaults read org.gpgtools.common
{
keyservers = (
"hkp://pgp.mit.edu"
);
}</code>
</pre>
<p>No option of <code>SaveInKeychain</code> is specified in my system. Also, a temporary solution to disable this behavior is to run following command:</p>
<pre>
<code>defaults write org.gpgtools.common UseKeychain false</code>
</pre>
<p>This makes me suspect that if this option is not specified in default, GPGTools would get <code>true</code> instead of false. This behavior (or, bug) might be introduced by recent macOS update (High Sierra).</p>
<hr>
<p>I tried to run <code>defaults delete org.gpgtools.common UseKeychain</code> and the "Save in Keychain" checkbox is checked by default again.</p>
<hr>
<p>Okay, found <a href="https://github.com/GPGTools/pinentry/commit/2c9eee7302f1eb1440e5ecfe9cbb15bea884691b">this commit</a>. So it is intended. As I mentioned above, anyone who has the access to the macOS's login password will have the access to the plaintext stored in Keychain.app. Even if you want to promote this feature, please at least implement some kind of remembering last choice behavior. Or people like me who doesn't want to store their password in keychain would need to uncheck it every time (or spending time investigate until finding that option).</p></div>fanzeyitag:gpgtools.tenderapp.com,2011-11-04:Comment/437925112017-10-18T09:22:51Z2017-10-18T09:22:51ZSave to Keychain is enabled by default<div><p>Hi fanzeyi,</p>
<p>we have changed this default since we found that it makes handling passphrases a lot easier for many of our users. But you can of course change the default in System Preferences -> GPG Suite</p>
<p>Hope that helps.</p>
<p>P.S.: Nice investigation :)</p></div>Luke Letag:gpgtools.tenderapp.com,2011-11-04:Comment/437925112017-10-21T22:39:33Z2017-10-21T22:54:26ZSave to Keychain is enabled by default<div><p>@luke le: we've noticed this too and unfortunately while it may make things easier in the short run - it can seriously compromise the security of the GPG passphrase as many users sync their keychains to iCloud (often without realizing it since Apple likes to make this the default during setup). Would it be possible to persuade you to change the default back to having it unchecked - or perhaps adding a step during installation/upgrade that at least prompts & asks the user whether or not they'd like enabled - perhaps with a brief explanation of the risks of doing so?</p>
<p>I also just realized I had already created an issue for this here: <a href="https://gpgtools.tenderapp.com/discussions/problems/59031-gpgtools-20171-re-checks-store-in-macos-keychain">https://gpgtools.tenderapp.com/discussions/problems/59031-gpgtools-...</a></p></div>gpg_dudetag:gpgtools.tenderapp.com,2011-11-04:Comment/437925112017-11-04T23:28:06Z2017-11-04T23:28:06ZSave to Keychain is enabled by default<div><p>I agree with gpg_dude that the save to Keychain box should NOT be checked by default. I accidentally saved my key to Keychain without realizing it, and this created a security vulnerability for me. Security should be the highest priority with a product such as gpg.</p></div>anontag:gpgtools.tenderapp.com,2011-11-04:Comment/437925112017-12-10T16:55:40Z2017-12-10T16:55:40ZSave to Keychain is enabled by default<div><p>We have a ticket for this problem. I connected this discussion with the existing ticket. That means, should this discussion get closed, it will be re-opened as soon as the ticket is closed. That way you'll stay in the loop and get notified as soon as we have news. Feel free to open a new discussions should you run into further problems or need assistance.</p>
<p>The idea is to explicitly ask the user and inform them about the pros and cons of storing the password in macOS keychain.</p>
<p>Kindly,<br>
steve</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/437925112018-01-24T22:43:09Z2018-01-24T22:43:10ZSave to Keychain is enabled by default<div><p>I agree with fanzeyi and Steve that saving to the Apple Keychain should NOT be the default. If you want to add connivence for users, give them a first-use pop-up that directs them to preferences -> settings. You should always default to a position of higher security.</p></div>Matt Martinitag:gpgtools.tenderapp.com,2011-11-04:Comment/437925112018-01-25T11:06:06Z2018-01-25T11:06:06ZSave to Keychain is enabled by default<div><p>Thanks for your input Matt. I've added your vote and input to the open ticket.</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/437925112018-03-26T16:25:14Z2018-03-26T16:25:14ZSave to Keychain is enabled by default<div><p>Hey Steve - any update on the ticket for this?</p></div>gpg_dudetag:gpgtools.tenderapp.com,2011-11-04:Comment/437925112018-03-26T16:34:21Z2018-03-26T16:34:21ZSave to Keychain is enabled by default<div><p>Sorry, not yet. As always we will keep you posted as we have news.</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/437925112018-03-26T16:36:38Z2018-03-26T16:36:38ZSave to Keychain is enabled by default<div><p>Is there any way to bump it? I recently sat with some folks I helped get up on GPGmail a year ago and several of them had no idea what their GPG passphrase was because "one day it just stopped asking me for it, but encryption kept working"</p></div>gpg_dudetag:gpgtools.tenderapp.com,2011-11-04:Comment/437925112018-03-28T13:36:57Z2018-07-18T14:01:38ZSave to Keychain is enabled by default<div><p>Hi gpg_dude and others,</p>
<p>this issue is high on our priority list for the setup wizard we are currently planning on developing. Unfortunately at the end of last year our development and distribution infrastructure broke down and it took us quite some time to get it up and running again, which set us back longer than expected.</p>
<p>While we absolutely agree that this can be a security issue for some, we most often hear from our users that they don't know what their GPG passphrase is and that they can't remember it. Depending on your data that can be a much more problematic situation to be in. So a setup wizard where the user is alerted to the possible consequences of the "store passphrase" choice is definitely the way to go.<br>
I'd like to believe that users who have more serious thread levels to consider will be able to find the option where to disable this preference.</p></div>Luke Le