Golang "OpenPGP" implementation...

Casey Marshall casey.marshall at gmail.com
Thu Jun 11 14:07:34 CEST 2015


On 06/07/2015 07:49 PM, Phil Pennock wrote:
> On 2015-06-05 at 16:39 +0200, Low Eel wrote:
>> As you probably (?) know, Google launched their language, golang, and it ships
>> with something they call "OpenPGP" libraries:
> 
> OpenPGP is the IETF name for the specification.  The Internet
> Engineering Task Force defines the protocol.  GnuPG is one
> implementation of the OpenPGP specification, and today is very probably
> the dominant implementation.
> 
>> https://godoc.org/golang.org/x/crypto/openpgp
>>  
>> I know because I am going to write some server using GPG and I was looking for
>> some library. Now the name "OpenPGP" Google is using seems promising, but.
>>
>> - Are that libraries a port/endorsed/written together with the gpg dev?
>> - Does anyone knows if they are 100% compatible or a "google flavour"?
> 
> They are Google's implementation of the IETF standard.  Compatibility is
> a complex issue but in general anything claiming "100% compatible"
> should be viewed with suspicion.  Most products aren't even fully 100%
> compatible with themselves across versions; in good projects, such
> breakages then lead to additions to regression tests to try to avoid
> repeating such embarrassments.
> 
> Casey Marshall wrote a PGP keyserver, Hockeypuck, designed to interop
> with SKS (the dominant PGP keyserver); Hockeypuck is written in Go and
> Casey tried to use the Google-provided x package, but ran into some
> limitations and forked off something which he could adapt to work for
> his use-case:
> 
>   https://github.com/hockeypuck/openpgp/tree/v1
> 
> (see also: https://hockeypuck.github.io/contributing.html )
> 

To clarify -- and I should perhaps document this better on the
hockeypuck site and project page -- github.com/hockeypuck/openpgp is not
a fork of golang.org/x/openpgp. It's a wrapper around
golang.org/x/crypto/packet, a low-level OpenPGP packet processing API,
for the specific purpose of parsing key material to build a public
keyserver -- which needs to deal with good, bad, ugly and as-of-yet
unsupported key material. This is a much different concern from the
high-level OpenPGP API in x/crypto, which is more about using OpenPGP
for signing and encryption.

> I recommend evaluating both Google's package and Casey's, to see which
> is a better fit for your needs.  Figure out why you choose one, and use
> the differences as inspiration so that you know when and how to fork
> yourself, to get closer to the level of compatibility which you need.
> 

Use golang.org/x/crypto.

github.com/hockeypuck/openpgp is really only useful if you're developing
your own public keyserver, or have some other special-case need to
process OpenPGP packets (perhaps for some WoT analysis, debugging
OpenPGP implementations, etc.)

> Good luck!
> -Phil
> 
> _______________________________________________
> Gnupg-devel mailing list
> Gnupg-devel at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-devel
> 

-- 
-Casey



More information about the Gnupg-devel mailing list