Mac Tips

All things Mac  

GNU Privacy Guard 2.0.9

This document shows how to get a working GnuPG version 2 system working on
OSX, in particular what is required to use this setup with the
GPGMail plugin for Apple Mail.

Below "${PREFIX}" is the top-level install dir for optional packages - for
default macports this would be "/opt/local" - another common variant is "/usr/local".
To use the actual cut-and-paste commands below, first replace ${PREFIX} with the
appropriate string for your setup

Install gpg2 (with macports - "sudo port install gnupg2") and then point GPGmail at it:

defaults write GPGOpenPGPExecutablePath "${PREFIX}/bin/gpg2"

Install gpg-agent (with macports - "sudo port install gpg-agent").
(AS OF 20/5/2008, macports gpg-agent is at 2.0.7. Must be 2.0.9 to work out
of the box. Compile your own/hack local Portfile etc. to get 2.0.9)

Basic Requirements and Comments
Make sure you are using gpg and gpg-agent 2.0.9 or later since only this version
(and later) passes the right arguments format for pinentry under OSX

GPG2 requires that you use the gpg-agent otherwise you'll just get "bad
passphrase" in GPGMail. This requires some modifications in your gpg setup:

1) gpg-agent needs to run at login otherwise won't pick up the
environment variables it needs to pass to the gpg subprocesses so that the
gpg-agent can be contacted. You can manually do this by simply starting
gpg-agent in a terminal and then doing "open /Applications/" from
your home directory (must be in your home dir or GPGMail won't find your
.gnupg directory and buttons will be missing). However, this is clunky.
There is an alternative actually - the "--enable-standard-socket" option to
gpg-agent makes it use a standard UNIX domain socket which doesn't have a
randomised path component and is therefore always the same and which gpg
programs always check if there is no GPG_AGENT_INFO env var set. This is
ideal, however, you still want to make gpg-agent start on login so you don't
have to start it manually every time and don't have to start Mail from the
command line.

2) You need a GUI pinentry (password prompt) for GPG. The default pinentry
program is built with ncurses support which is fine in a terminal but from
GPGMail, it just means that everything hangs because it has no tty to speak
to when prompting for your GPG passphrases. You have to use a GUI pinentry.
You also have to rebuild gpg-agent because if you don't, the GUI window for
pinentry cannot accept any focus and is essentially useless. Benjamin
Donnachie has already worked this out
( but the
directions there are for older versions of the programs and don't work as
stated with gpg 2.0.9 and OSX 10.5. I have adapted these instructions, see
below. Thanks to Gavin Reid for the updated 2.0.9 agent patch.

3) Note that with macports, gnupg2 does not include the gpg-agent, which is
a separate port and required in order to use gpg2. It is sometimes a few
revs behind gpg2 but you'll have to build your own gpg-agent anyway, see
below. There is no point installing the gpg-agent from macports (well,
until the official gpg-agent is patched for OSX ...).

GPG agent - running at  login
Create /etc/login-script and make it executable:

# Very important - get rid of old sockets which may be there if we are
# rebooting after a crash. If these are still there, then gpg-agent will
# complain and login will hang.

# normal GPG agent socket
if [ -e /Users/$1/.gnupg/S.gpg-agent ]
  \rm -f /Users/$1/.gnupg/S.gpg-agent

# GPG agent socket for ssh
if [ -e /Users/$1/.gnupg/S.gpg-agent.ssh ]
  \rm -f /Users/$1/.gnupg/S.gpg-agent.ssh

su -l $1 -c "${PREFIX}/gpg-agent --daemon --use-standard-socket --enable-ssh-support"

leave out the "--enable-ssh-support" option if you're not using gpg-agent as
your ssh-agent.
add this script to the loginhook

sudo defaults write LoginHook /etc/login-script

Create a logout script and make it executable

killall gpg-agent

add this script to the logouthook

sudo defaults write LogoutHook /etc/logout-script

Without the logout script, gpg-agent keeps running even when you log out and
when you log back in, the login hook fails to run (since gpg-agent is already
running) but you can't talk to the socket any more and gpg-agent will be useless.

Getting a GUI pinentry
Get Benjamin Donachie's mac native pinentry from

drop the bundle in the /Applications folder

Modify ~/.gnupg/gpg-agent.conf to add

pinentry-program "/Applications/"

Don't use the "no-grab" option in the gpg-agent.conf file. This makes the
native pinentry GUI app hang invisibly.

TextMate seting up for Latex with 64bit kernel

      "⌘R (or similar) giving Inappropriate ioctl for device error
ticket F66289D9
  1. This is caused by booting the kernel in 64 bit mode. Very few systems should do this by default, see this article about how to control which kernel to use.

    Workaround: Comment out line 169 in $TM_SUPPORT_PATH/lib/tmp/process.rb, this line looks like this:

    io[0][0].fcntl(6, ENV['TM_PID'].to_i) if ENV.has_key? 'TM_PID'

    To open the file (from the proper support folder) you can press ⌃R on the following line in a TextMate document:

    open -a TextMate "$TM_SUPPORT_PATH/lib/tm/process.rb"

    Be aware that this will disable interactive input. Something which was initially broken on Snow Leopard, but is working using the latest dylib from the svn repository."