This page contains instructions on how to obtain FatMacPGP 2.6.3, the most recent version of MacPGP, optimized for PowerMacs (as well as M68K macs with a 68020CPU or better). For more information on the features of this software see the file MacPGP 2.6.3 Information. You may download the documentation separately below. There is also a discussion of implementing SHA1 hashing in PGP below.
New Bug Fix Version Released. On 18 July 1996 a new bug fix version of FatMacPGP 2.6.3 was released. This release bears the version number 2.6.3v1.6.1. It corrects a number of problems related to non-English language support (see bugs   for details). If you use MacPGP exclusively for English language text messages (and/or binary messages), there is really no need to upgrade from version 1.6 to 1.6.1. The bug fix version has replaced the original version on Mike Johnson's anonymous FTP archive, so just follow the instructions below.
Due to U. S. export regulations (disregard of which can lead to criminal prosecution), FatMacPGP 2.6.3 may only be distributed to you if you satisfy both of the following two requirements:
If you do not satisfy either of the above two requirements, you can obtain an international version MacPGP 2.6.3i from the international PGP home page. While the current international version is missing some of the ancillary features of FatMacPGP 2.6.3, its cryptographic strength is equivalent to FatMacPGP 2.6.3. (PS. A later bug fix version of MacPGP 2.6.3i may be obtained from the following site in Japan.)
You may obtain FatMacPGP 2.6.3 by downloading it from the anonymous FTP directory specified at the URL
If you have any trouble downloading the files you may find the following step-by-step directions, illustrated with screen shots, helpful.
If you have a vintage Mac with only a MC68000 CPU, such as a Plus, SE, PB100 or Classic, then you won't be able to use FatMacPGP 2.6.3. However you can download MacPGP 2.6.2 compiled for these machines from the same FTP site. (MIT only has version 2.6 for such machines, with key size limited to 1024 bits and with no AppleScript support. Moreover MIT MacPGP 2.6-68000 crashes whenever it reads or writes the PGP Preferences file.) The file name of this version is
To verify these MacPGP distributions you will need my PGP public key. To verify the signatures on my key you may need to download some other PGP keys from the MIT keyserver. To report bugs or other problems, send email to firstname.lastname@example.org . Before doing this, check the following list of known bugs.
- demonstrates the new stealth feature in MacPGP 2.6.3
Here are some modifications to PGP which allow it to use SHA1 for signature hashes instead of MD5, which it currently uses. (Dobbertin, who has already cracked MD4, seems to be making rapid progress on a similar collision attack against MD5.)
Note: These modifications are already built into FatMacPGP 2.6.3 and are included in the source code. So you will only need to compile these modifications if you are building PGP for a non-Macintosh platform.
These modifications are provided for experimental purposes only. If used, resulting signatures will be unintelligible to earlier versions of PGP. There is no assurance that future versions of PGP will use this signature format either. These modifications only allow PGP to sign files using SHA1 hashes. MD5 is still exclusively used for key certification, random bit generation, and hashing passwords, since collision attacks are irrelevant for these uses.
These modifications have been tested under MacOS, Solaris and MS-DOS (DJGPP). Run "patch" on the appropriate dif file against either the 2.6.2 or the 2.6.3 source code distribution. Then add "sha1.c" and "sha1.h" to the resulting sources and compile with the additional flag "-DSHA1"
To activate SHA1 signatures in the resulting executable, add 'x' to the signing options, eg.
The source code module "sha1.c" below has the SHA1_DEBUG compiler flag turned on. If you compile with this flag on, you can debug the resulting executable as follows. If you place a file with the name "shadbg" in the directory from which you launch this version of pgp, every time you make a PGP SHA1 signature, all the material that is signed will be written to a file "shadbgxx" and the SHA1 hash will be written to "shadbgxx.sha". You can then verify with any trusted implementation of SHA1 that the hash was computed correctly. Here xx is the first available index in the range from 0 to 99.
This page has been accessed times since 8 July 1996.
Last updated: 14 Jan. 1997