How to Build GnuPG 2 from Source on OS X

September 01, 2018

I’m a big fan of homebrew, but when it comes to encryption, I get paranoid and prefer to build the software myself.

On the other hand, building Unix software from source is actually pretty simple. If you’ve never done it this is a good opportunity to try. GnuPG requires several packages so you’ll be able to exercise several times.

Versions

These instructions were tested with gnupg-2.2.9 on macOS High Sierra 10.13.6, but they should be useful for other versions as well.

List of Packages

GnuPG requires installing several packages, the download page has all of them, but this is more than you need. It’s better to follow the list that comes in the README instead, so let’s start downloading and extracting GnuPG.

The location of the tar file comes from the download link on the download page

cd /usr/local/src # prefered location for sources
curl -o gnupg-2.2.9.tar.bz2 \
  https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.9.tar.bz2

Before uncompressing the tarball you need to verify that this is the original and umodified version of the source. If you have an existing installation of gpg you can verify its signature. Otherwise you have to compare the file checksum, which is what I did. The list of checksums is on the integrity page.

openssl sha1 gnupg-2.2.9.tar.bz2

Once you have verified that the checksum of the output of this command matches the checksum listed on integrity page you can uncompress it.

tar -xvzf gnupg-2.2.9.tar.bz2
cd gnupg-2.2.9
cat README

The BUILD INSTRUCTIONS section of the README lists the required packages. It also has all the instructions you need. In fact you could stop reading this and continue with the README instead.

Building from Source

The steps to build from source are the same for every package, for example, for npth they would be:

cd /usr/local/src
curl -o npth-1.6.tar.bz2 \
  https://gnupg.org/ftp/gcrypt/npth/npth-1.6.tar.bz2
openssl sha1 npth-1.6.tar.bz2
# compare the output against gnupg.org/download/integrity_check.html
tar -xvzf npth-1.6.tar.bz2
cd npth-1.6
./configure # no options except for pinentry (see below)
make
make check
make install

The ./configure script gathers information about your environment: the command to invoke the C compiler, location of libraries, etc. It verifies that all dependencies are met. It also generates the Makefile and defines some constants.

Calling make will compile all sources using the Makefile generated by the previous step.

The make check is not required but a good idea to detect any issues. In the case of libgcrypt it also runs some benchmarks, but for me they run for too long and I ended up canceling it.

Sometimes make or make check will issue errors. I didn’t run into any in this case, but in the past, for older versions of GPG, I did get one, when the location of files was different; in other instance some constant definitions were missing.

make install will copy executables and libraries and create symbolic links in directories where they can be accessed. Sometimes you might need extra permissions to finish this step and have to execute using sudo. It didn’t happen to me.

Pinentry Options

For all the packages I used the defaults, i.e. didn’t provide any options to ./configure This was the exception. Pinentry is used to enter passwords/passphrases, since I’m a terminal-type person I like to use tty:

./configure \
  --disable-pinentry-qt \
  --disable-pinentry-emacs \
  --disable-inside-emacs \
  --disable-pinentry-gtk2 \
  --disable-pinentry-curses \
  --enable-pinentry-tty

When you run this command the output should be:

Pinentry v1.1.0 has been configured as follows:
[output omitted]
Default Pinentry .: pinentry-tty

Finally Build GnuPG

Once all the packages are done you should be ready to finish building GnuPG:

cd /usr/local/src/gnupg-2.2.9
./configure
make
make check
make install

Leave a Comment

optional, not displayed