MacPGP 2.6.3 Home Page

This page contains instructions on how to obtain FatMacPGP 2.6.3, the most recent version of MacPGP, optimized for PowerMacs (as well as M68K macs with a 68020CPU or better). For more information on the features of this software see the file MacPGP 2.6.3 Information. You may download the documentation separately below. There is also a discussion of implementing SHA1 hashing in PGP below.

New Bug Fix Version Released. On 18 July 1996 a new bug fix version of FatMacPGP 2.6.3 was released. This release bears the version number 2.6.3v1.6.1. It corrects a number of problems related to non-English language support (see bugs for details). If you use MacPGP exclusively for English language text messages (and/or binary messages), there is really no need to upgrade from version 1.6 to 1.6.1. The bug fix version has replaced the original version on Mike Johnson's anonymous FTP archive, so just follow the instructions below.

Due to U. S. export regulations (disregard of which can lead to criminal prosecution), FatMacPGP 2.6.3 may only be distributed to you if you satisfy both of the following two requirements:

You must be a U. S. citizen or permanent resident or a Canadian citizen.
The computer to which you are downloading the software is either in the U. S. A. or Canada.

Consequently there is a somewhat roundabout procedure required to download FatMacPGP 2.6.3, which is described below.

If you do not satisfy either of the above two requirements, you can obtain an international version MacPGP 2.6.3i from the international PGP home page. While the current international version is missing some of the ancillary features of FatMacPGP 2.6.3, its cryptographic strength is equivalent to FatMacPGP 2.6.3. (PS. A later bug fix version of MacPGP 2.6.3i may be obtained from the following site in Japan.)

You may obtain FatMacPGP 2.6.3 by downloading it from the anonymous FTP directory specified at the URL

http://www.sni.net/~mpj/usa/warning.htm

This page, which firstly specifies the exact conditions you must agree to in order to download FatMacPGP 2.6.3, also contains a link pointing to a page with links pointing to the files in question. That page also contains links to several older versions of MacPGP. The file names are

Fatmacpgp263v161.sea.hqx - executable and documentation (dated July 18, 1996)
Macpgp263sources.sit.hqx - C language sources (dated July 4, 1996)

If you have any trouble downloading the files you may find the following step-by-step directions, illustrated with screen shots, helpful.

If you have a vintage Mac with only a MC68000 CPU, such as a Plus, SE, PB100 or Classic, then you won't be able to use FatMacPGP 2.6.3. However you can download MacPGP 2.6.2 compiled for these machines from the same FTP site. (MIT only has version 2.6 for such machines, with key size limited to 1024 bits and with no AppleScript support. Moreover MIT MacPGP 2.6-68000 crashes whenever it reads or writes the PGP Preferences file.) The file name of this version is

MacPGP262b131(68000).sea.hqx

If you have difficulty finding this file you might look at the following detailed instructions.

To verify these MacPGP distributions you will need my PGP public key. To verify the signatures on my key you may need to download some other PGP keys from the MIT keyserver. To report bugs or other problems, send email to fiedorow@math.ohio-state.edu . Before doing this, check the following list of known bugs.

Download MacPGP Documentation (Also included in the FatMacPGP 2.6.3 distribution above.)

Getting started with MacPGP (MacBinary format)
MacPGP 2.6.3 Manual (MacBinary format)
MacPGP 2.6.3 Apple Events

Steganography Demonstration

- demonstrates the new stealth feature in MacPGP 2.6.3

Basic Links to Related Sites

MacPGP Tutorial: If you haven't seen MacPGP before, this gives you a basic idea of the look and feel of MacPGP. Note however that it references an obsolete version of MacPGP (version 2.6) and is misleading on some points. (Eg. it seems to imply that the ----BEGIN PGP MESSAGE--- header can be left out of PGP messages and it does not mention encryption/decryption via the Clipboard.) If you really need a tutorial on MacPGP, you will be better off downloading the "Getting started with MacPGP" documentation referred to above.
MacPGP: Encryption and Macintosh Page: This is a good reference for MacPGP front ends as well as other versions of MacPGP.
PGP FAQ (alternative link): This is the current comprehensive, definitive FAQ on PGP. Supersedes all other PGP FAQ's. (The FAQ on www.stack.urc.tue.nl is slightly newer than the one on www.pgp.net, but the latter site includes many other PGP related items.)
Cryptography and PGP Page: This is a good starting point for looking for PGP related items on the worldwide web.
PGP Users Mailing List Home Page: This contains a larger and fresher collection of PGP related links on the worldwide web, but not as carefully organized.
Crypto-Log: Internet Guide to Cryptography: This site contains a huge and well-organized collection of references to cryptography related material (not just PGP) on the worldwide web. May be a bit overwhelming for a novice.
Ultimate Macintosh: Probably the largest collection of links to Macintosh resources on the worldwide web.

PGP and SHA1

Here are some modifications to PGP which allow it to use SHA1 for signature hashes instead of MD5, which it currently uses. (Dobbertin, who has already cracked MD4, seems to be making rapid progress on a similar collision attack against MD5.)

Note: These modifications are already built into FatMacPGP 2.6.3 and are included in the source code. So you will only need to compile these modifications if you are building PGP for a non-Macintosh platform.

These modifications are provided for experimental purposes only. If used, resulting signatures will be unintelligible to earlier versions of PGP. There is no assurance that future versions of PGP will use this signature format either. These modifications only allow PGP to sign files using SHA1 hashes. MD5 is still exclusively used for key certification, random bit generation, and hashing passwords, since collision attacks are irrelevant for these uses.

These modifications have been tested under MacOS, Solaris and MS-DOS (DJGPP). Run "patch" on the appropriate dif file against either the 2.6.2 or the 2.6.3 source code distribution. Then add "sha1.c" and "sha1.h" to the resulting sources and compile with the additional flag "-DSHA1"

To activate SHA1 signatures in the resulting executable, add 'x' to the signing options, eg.

pgp -satx input_file

The executable transparently verifies either type of signature (old MD5 or new SHA1).

The source code module "sha1.c" below has the SHA1_DEBUG compiler flag turned on. If you compile with this flag on, you can debug the resulting executable as follows. If you place a file with the name "shadbg" in the directory from which you launch this version of pgp, every time you make a PGP SHA1 signature, all the material that is signed will be written to a file "shadbgxx" and the SHA1 hash will be written to "shadbgxx.sha". You can then verify with any trusted implementation of SHA1 that the hash was computed correctly. Here xx is the first available index in the range from 0 to 99.

Patch for PGP 2.6.2 sources

Patch for PGP 2.6.3 sources

sha1.c

sha1.h

Changes to PGP Signature Format

Sample PGP-SHA1 signed message

This page has been accessed [an error occurred while processing this directive] times since 8 July 1996.
Last updated: 14 Jan. 1997