GPG Suite 2018.3
We are very happy to announce the release of GPG Suite 2018.3
For 2018.3 we have backported our EFAIL mitigations – introduced in GPGMail 3.0b6 for macOS High Sierra - to macOS Sierra. The backported mitigations also include some additional mitigations specifically for S/MIME.
We are still in the process of evaluating if the changes can be backported to macOS El Capitan as well. If you have the chance, please update to macOS High Sierra.
In addition 2018.3 includes GnuPG 2.2.8 which fixes a recently discovered exploit known as SigSpoof.
SigSpoof was discovered by Marcus Brinkmann of NeoPG and allows an attacker to fake any signature using a specially crafted OpenPGP message. In order for the exploit to work, the `verbose` option has to be enabled in gpg.conf.
Unless a user had explicitly added the verbose option to gpg.conf, it is very unlikely that our users were affected by SigSpoof, since GPG Suite itself never used that option.