GPGME python bindings query

Ben McGinnes ben at adversary.org
Mon Jul 9 09:42:52 CEST 2018


On Sun, Jul 08, 2018 at 09:52:23AM +0530, Divesh Uttamchandani wrote:
> Hi,
> 
> I want to generate revocation certificate for a key using GPGME
> python bindings.

The only way that GPGME can directly generate a revocation certificate
is when one is automatically generated using GnuPG 2.1 or above (you
should already be on 2.2 now anyway).  This is no different from
running either the "gpg --gen-key" or "gpg --full-gen-key" commands
and the revocation certificate is generated at the same time as the
key itself is.

You can, however, revoke user IDs with GPGME and there is an example
of that in the later sections of the Python Bindings HOWTO.  It's in
the sections using this guy for the example instead of Alice or Bob:

http://web1.east1.us.adversary.org/wp/wp-content/uploads/2018/07/danger-mouse-20180709-01.jpg

> I couldn't find example/docs which explain this. Can someone suggest a way
> to do so.

No.  Some things are intended to be done manually and revoking an
entire key is one of them.  If it must be automated then current key
generation will produce a revocation certificate by default and the
solution would be to apply that to a key store and/or any relevant
distribution channel (e.g. uploading it to the keyservers).

> I am not sure if there is a way, I tried to achieve this by the
> gpg.Context().interact functionality but couldn't find appropriate
> commands for certificate generation.

The gpg.Context().interact function is not intended for interacting
with all keys in the same way you might use "gpg --edit-key", it's
intended for interacting with cards and tokens which store secret key
material.

While there are some low level functions present which were necessary
for GPGME, and consequently the bindings to it, to do what it does,
these functions are not intended to be used directly and are not
documented as a result.  These are functions which are actually
*lower* level than the gpgme_op_* functions.

In your case since this is an exploratory project for GSoC, the best
approach is that if something you're trying to do is both not
immediately apparent and if it were to be performed manually on the
command line would produce a whole bunch of warnings to the user to
confirm that they're sure and if they really want to do whatever it
is; then chances are good that not only is there no way to automate
it, but we will also advise against trying to do so by circumventing
those warnings. 

In anticipation of the inevitable question, there's also no function
for deleting UIDs or subkeys in GPGME.  Normally the window of
opportunity for doing anything like that is very narrow and it would
be expected to be performed manually and not automated.  Instead one
would revoke any UID which is no longer valid and there's plenty of
examples of that on keys currently in use.  Indeed, I've got one on
mine right now (it's the fourth one).  The following code will display
it on any key interactively:

    c = gpg.Context()
    fpr = input("Enter key ID or fingerprint: ")
    key = c.get_key(fpr, secret=False)
    for i in range(len(key.uids)):
        if key.uids[i].revoked == 1:
            print(key.uids[i].uid)
        else:
            pass


Regards,
Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20180709/b05db31a/attachment.sig>


More information about the Gnupg-devel mailing list