GPGServices phone home bug & few other questions
(1) I think there is a small bug/issue with your implementation of Sparkle Update.
I don't want GPGTools 'phoning home' at all. In GPGPreferences I made sure "automatically check for updates" was deselected. And in GPG Keychain access i also set auoto update to off via the prefs.
I double checked the plists in ~/Library/Preferences
All <key>SUEnableAutomaticChecks</key> were set to <false/> so automatic updates were off.
So I presumed all auto updates were disabled.
Then a couple of days ago in nettop I noticed GPGServices phoning home! It contacted 220.127.116.11 which is gpgtools.org.
On checking org.gpgtools.gpgservices.plist the time and date stamp for <key>SULastCheckTime</key> matched the phone home time t the second. Its worth noting that org.gpgtools.gpgservices.plist does not have a <key>SUEnableAutomaticChecks</key>
Could you please confirm if this GPGServices/Sparkle Update/phone home issue is a bug and if not why not?
I'm guessing that if I simply add <key>SUEnableAutomaticChecks</key> and set it to <false/> it will fix the issue?
(2) Another bug/improvement: it would helpful to have GPGPreference list the GPGTools version in the About box.
(3) Again in GPGPreference in the About box why does it say "On" in the bottom right hand corner?
(4) When encrypting using GPGServices, in the "Choose Recipients" dialogue there is a tick box "Add to Recipients". What does that do?
GPGTools ver 20130330
OS X 10.8.4
Comments are currently closed for this discussion. You can start a new one.
|?||Show this help|
|ESC||Blurs the current field|
|r||Focus the comment reply box|
|^ + ↩||Submit the comment|
You can use
Command ⌘ instead of
Control ^ on Mac
1 Posted by Samantha on 16 Jul, 2013 09:37 AM
Re (4) Sorry, I just found
Just to confirm:
So it automatically adds me (the encryptor) to the list of people that can decrypt the file. I was selecting my own key manually from the list but with this option selected I don't need to that?
Wow, now that I think about it, it raises the unexpected possibility that it is actually possible to encrypt a file but not be able to decrypt it yourself (by deselecting that option)?
Support Staff 2 Posted by Luke Le on 17 Jul, 2013 01:04 PM
thanks for bringing this to our attention, we'll have a closer look at it.
Sparkle Updates are on by default, since it's really important for our users to always have the latest versions of the tools.
However it should be possible of course to disable that option AND if disabled, our tools should abide to that setting.
(2): You're absolutely right, the version of GPGTools should be listed and actually I thought it already was. The versioning is a bit problematic, since you could have a version of GPGTools installed, but all nightly versions of all other tools. But I hope we find a way to make this less confusing
(3): The "0n" you're seeing is the version which is displayed if you build GPGPreferences yourself. Otherwise you should not be seeing this.
(4): The GPGServices UI is a huge mess. But you figured it out what it does. It's confusing as hell to me, to be honest. And yes, it's absolutely possible to encrypt a file which you yourself can no longer open. This should not be a problem, unless you deleted the original.
You can follow progress on the bugs you reported under the URLs above.
It might take us some time however to get those changes in, since we're currently focused on getting GPGMail just right.
3 Posted by Samantha on 17 Jul, 2013 06:30 PM
Hi Luke thanks for your reply.
Re (1) It came to mind afterwards that both GPG Preferences and GPG Keychain Access have GUI's that allow the user to toggle updates on/off.
GPGServices doesn't have a GUI so there's no way to toggle the updates to off.
I'd suggest adding a toggle for GPGServices updates to GPGPreferences pane (I originally thought that the way it was set up)
As a work around to solve my own issue I went ahead and added that key <key>SUEnableAutomaticChecks</key> and set it to false. I'm 99% sure that should stop GPGServices phoning home.
Re (3) Are your sure that's 100% correct? I have the "On" displayed but I didn't build my version. I installed it using the official GPGTools-20130330.dmg.
According to the download page it should have the SHA1 617427f478990228f72683cc15d359df5b56a69c which I can confirmed it has.
Has that dmg been compromised somehow on the server side? I'd really appreciate if you could clarify the the thought of a compromised GPG is worrying.
Re (4) It's not that the interface is confusing, for me its more that the FAQ and documentation could do with a little beefing up.
Thanks again for your help and for listing the bugs/issues on the bug tracker :-)
Support Staff 4 Posted by Luke Le on 18 Jul, 2013 10:18 AM
(1) that's exactly the reason why it's currently not possible for GPGServices, but as you say, it should definitely be possible from within GPGPreferences
(3) There's no need to worry, chances are very good that this is a bug of ours. BUT could you please install the new version of GPGTools v20130520? It's the most current and much more stable version than the one you have installed.
If it had been compromised chances would be very little that the SHA1 still matches.
(5) Absolutely true, lots of documentation is still missing, yet we'd love to create and design our tools in a way that documentation is not really necessary in the first place.
Let us know if you have more questions.
5 Posted by Samantha on 18 Jul, 2013 05:12 PM
Re (3) Sounds like a good idea.
Sorry to be a pain, but what's the procedure for updating when using the GPGTools.dmg: should I uninstall the previous version first or just run the newer installer.pkg over the existing installation?
Support Staff 6 Posted by Luke Le on 18 Jul, 2013 05:31 PM
No problem at all, we're happy to answer all your questions :)
You can simply install the newest version over the previous one. No need to uninstall.
7 Posted by Samantha on 18 Jul, 2013 06:35 PM
Brilliant. Thanks Luke :-)
Support Staff 8 Posted by Luke Le on 18 Jul, 2013 09:13 PM
Closing this discussion then. Feel free to open a new one anytime should you have more questions or run into problems.
Luke Le closed this discussion on 18 Jul, 2013 09:13 PM.
Steve closed this discussion on 20 Aug, 2013 04:24 PM.
Steve closed this discussion on 25 May, 2014 11:19 AM.