Any UNIX API for GPG available?
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Jun 24 18:28:53 CEST 2009
On 06/24/2009 11:06 AM, Brian Mearns wrote:
> GPGME just invokes gnupg in a subshell, right? And parses the
> response? Not that this won't work, it just seems so inelegant.
Communicating a well-defined syntax across a process boundary doesn't
need to be inelegant. There are many good implementations of various
tools that take advantage of the natural segmentation that the OS
provides via distinct processes.
One advantage for gnupg, for example, is that secret key material is
never loaded directly into the memory of the parent process, so it
cannot be copied or tampered with from there.
This is not to say that the GPGME arrangement is perfect, just that the
process separation model itself isn't inherently a bad one.
> Does
> anyone know of efforts to right an actual free-software library that
> implements OpenPGP?
There are several, but none are in terribly good shape for generic use
from what i can tell.
OpenPGPSDK (sponsored by nominet, a UK DNS registrar) links against
OpenSSL for most of its crypto, and doesn't yet produce a shared library
(you can build statically-linked apps though). Targets RFC 4880 (the
latest OpenPGP RFC), but still has substantial gaps in its coverage of
the RFC.
http://openpgp.nominet.org.uk/
Crypt::OpenPGP is a perl module, but it requires Math::Pari.
Unfortunately, the author of Math::Pari seems to think that you should
need to rebuild perl itself to use his module, so this doesn't lend
itself to binary redistribution (.debs and .rpms). Crypt::OpenPGP only
implements RFC 2440 (the older version, deprecated).
http://search.cpan.org/~btrott/Crypt-OpenPGP/
OpenCDK used to be a separate library, but the latest versions seem to
be bundled with the GnuTLS source. It uses gcrypt for its crypto, but
has been stripped down to do just what GnuTLS needs. Reviving it as a
separate project with its own life would be nice, i think. It's also
GPL'ed, which is nice if you want to link it to GNU software.
(i can't even find an upstream OpenCDK link anymore, so:
http://www.gnu.org/software/gnutls/ )
FWIW, i've recently started trying to revise the dependencies of
Crypt::OpenPGP to get it to work without Math::Pari (upstream has been
non-responsive to a couple of queries), and OpenPGPSDK folks are
receptive to hearing about problems, though the project seems starved of
developer time to actually fix things; some patches offered languish
unapplied. I need to investigate more into the history of choices
behind OpenCDK's evolution, but have not yet done so.
If anyone knows of other free implementations, i'd be happy to hear
about them too.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090624/3d653b02/attachment.pgp>
More information about the Gnupg-users
mailing list