Digressed

April 5, 2008: GnuPG-2 and ABxLDAP under Leopard 10.5.2

After a recent upgrade to Leopard, I hit a couple of roadblocks while trying to reconfigure my system for GnuPG and ABxLDAP. Both were working just fine under Tiger so it took a little digging in to figure out what was up.

GnuPG

I think my issue with getting Thunderbird + enigmail and Mail.app + GPGMail was that I was trying to use pinentry-mac.app from a new test version of Mac GPG which seems to have some issues at least under Leopard. I built the latest gnupg (2.0.9) and had its GPG agent running but trying to encrypt or decrypt would appear to launch pinentry-mac but no GUI was to be found aside from an entry in the application switcher which allowed me to kill it via command-Q. Various folks on the GnuPG list seemed to have things working so it was obviously possible.

In the end, what did it for me was installing the GPG-dependencies through fink. I initially tried to use fink’s gpg2 and pinentry and that worked for command-line usage but would not do it using pinentry-mac. I use fink for gnucash2 so it was just a matter of installing gnupg2 (which installed all its dependencies) and then removing the gnupg2 package.

To do this, you first need to install the Xcode tools from your Leopard disc and then download and install fink. Note that, as of this writing, there is no fink installer for Leopard so you have to set it up from the command line. It’s just three well-documented steps and a little bit of waiting while everything compiles. Once you have fink up, install its gnupg2 package to get all the dependencies in place:

sudo fink install gnupg2

and then remove it:

sudo fink remove gnupg2

I know this doesn’t sound right but the last command will only uninstall fink’s gnupg2 leaving all its dependencies installed.

Now download the latest gnupg2 source and build it:

./configure
make
sudo make install

This places gpg2, gpg-agent and so on all under /usr/local/.

Finally, to get pinentry-mac, I downloaded the mac-gnupg archive courtesy of Benjamin Donnachie. As I said, you want to avoid the 2.0.7-test version (latest as of this writing) and instead grab 2.0.4-2. Extract it so you end up with the .pkg bundle, then use the finder to right-click on it and select Show Package Contents and go into the Contents folder. Here you’ll find a file named Archive.pax.gz that you need to extract resulting in a new Archive folder. Look in there and you’ll see an Applications folder containing pinentry-mac.app and start gpg-agent.app. You’ll only need to copy the first to your Applications folder.

All programs are now in place so you next need to configure the environment. I used two posts as guidelines, one on the gnupg listserv and another on Mischa Beitz’s blog and tailored the three key settings files to my needs. (I created a ZIP archive with the three files. You’ll need to edit environment.plist and substitute the two places where it refers to <shortname> with your account’s short name before placing it in the corresponding location):

1. environment.plist, copied under ~/.MacOSX/ (create it if it doesn’t exist).
2. gpg-agent.conf, copied under ~/.gnupg/ - It points to the location of pinentry-mac and specifies a default passphrase cache time of 6 hours.
3. login.command in ~/bin, a bash script that starts up gpg-agent and sets up the needed environment variables. This needs to be launched via Lingon as indicated in Mischa’s post.

A logout / login later and voilà. My gnupg was previously configured with my keys and I can now use PGP within Thunderbird for work and withing Mail.app for my personal stuff (just to keep things somewhat separate). When an update to gnupg2 is released, all is needed is to download the archive and re-run the configure-make-make install steps to update it. Whether you need to update pinentry-mac, well, that’s up to you.

ABxLDAP

I run an LDAP-over-SSL-based contacts directory to allow a people to have access to my contacts list and keep it in sync with Apple’s AddressBook using J2Anywhere’s ABxLDAP. Nowadays they also have their own AddressBook Server product but I have things working with LDAP already and do prefer to keep things so clients on other platforms have access.

In any event, upgrading to Leopard broke things. After configuring the ABxLDAP prefs pane, clicking on Sync would crash the preferences utility. I suspected it was because I use a self-signed certificate but the odd thing is that I configured the directory under Apple’s AddressBook (which, under Leopard, now supports LDAP-over-SSL) and I was able to query the directory for contacts just fine. I even imported the certificate into my keychain indicating to always trust it. No dice with ABxLDAP.

A little bit of googling turned up this post on AFP548 providing the solution. As it turns out, the missing piece to the puzzle was proper configuration of /etc/openldap/ldap.conf which is supposed to be used by all local clients. Apparently, AddressBook is not one of them.