GNUPG – Email encryption and signing – full setup on Mac OSX

To sign and encrypt emails on Thunderbird one can use PGP keys. To understand the cryptography behind it and read more about PGP, please use Google. This post will just describe the setup on Mac OSX.

#1 Install Thunderbird

I will let you figure out that one by yourself. Get it here.

#2 Install Enigmail Addon

In Thunderbird go Tools > Addons and search for “Enigmail”. Click “Add to Thunderbird” and you’re good to go.

#3 Install gnupg

This is a bit tricky. I found various binary versions of GPG key management software. Namely:

You can find a list and source packages of gnupg on their website: https://www.gnupg.org/download/index.html

However I am not a fan of installing whole suites. I much prefer single packages with only the most necessary stuff and I like to install things via homebrew to keep everything smart, manageable and in one location. This is what homebrew gives me. I found this smart post which outlines the procedure and give necessary hints that I will simply copy here: Engimail, gnupg & pinentry on Mac OS X using Homebrew.

So here we go:

brew install gnupg

This will install the gnupg package so it can be used on the commandline. However, as you can read in the above mentioned post, it will only install “pinentry”, which does not provide GUI support but runs only on the commandline. This hinders the Enigmail setup wizard later on, so we have to fix this. The package “pinentry-mac” is needed to have GUI support. So:

brew install pinentry-mac

Test the sucessful installation by pasting this into your commandline:

pinentry-mac <<EOT
SETDESC Hello World
CONFIRM
EOT

If you see a popup, the setup was correct.

Then, in “~/.gnupg/gpg-agent.conf”, add the line “pinentry-program /usr/local/bin/pinentry-mac”. This points gpg-agent to the right authentication program, so that when Enigmail asks for authentication, the user is prompted to enter the password used to encrypt their private key.

Restart gpg-agent (using Activity Monitor or logout and back in), and you should be able to step through the Enigmail setup wizard without any problems!

Finally, go to Thunderbird and (after you have installed the Enigmail addon) go to Engimail > Setup Wizard and choose “extended configuration (for advanced users)”. You should be able to finish the wizard without issues, especially the part about creating a revocation certificate, which would have errored out with “unable to create certificate” if you hadn’t done the “pinentry-mac” step above.

Enjoy your newfound email PGP security!

For some additional reading and guides: