GPGME python bindings query

Jacob Adams tookmund at gmail.com
Tue Jul 10 19:01:10 CEST 2018


On 07/09/2018 03:42 AM, Ben McGinnes wrote:
> On Sun, Jul 08, 2018 at 09:52:23AM +0530, Divesh Uttamchandani wrote:
>> Hi,
>>
>> I want to generate revocation certificate for a key using GPGME
>> python bindings.
> 
> The only way that GPGME can directly generate a revocation certificate
> is when one is automatically generated using GnuPG 2.1 or above (you
> should already be on 2.2 now anyway).  This is no different from
> running either the "gpg --gen-key" or "gpg --full-gen-key" commands
> and the revocation certificate is generated at the same time as the
> key itself is.
> 
> You can, however, revoke user IDs with GPGME and there is an example
> of that in the later sections of the Python Bindings HOWTO.  It's in
> the sections using this guy for the example instead of Alice or Bob:
> 
> http://web1.east1.us.adversary.org/wp/wp-content/uploads/2018/07/danger-mouse-20180709-01.jpg
> 
>> I couldn't find example/docs which explain this. Can someone suggest a way
>> to do so.
> 
> No.  Some things are intended to be done manually and revoking an
> entire key is one of them.  If it must be automated then current key
> generation will produce a revocation certificate by default and the
> solution would be to apply that to a key store and/or any relevant
> distribution channel (e.g. uploading it to the keyservers).

I'm actually manually generating a GPG revocation certificate in my own
project (by calling gpg from subprocess). I know I shouldn't be doing
this, but I didn't see another way (and based on the above there isn't
one).

I would prefer to use the automatically generated certificate as it also
comes with some useful explanation text, but the problem I'm having is
that there is no way to trigger this generation from GPGME and it
appears to happen whenever you generate your first subkey (or perhaps
your first signing subkey, haven't dug that much into it). I'd like to
inform the user every time they will be prompted for their password and
a random extra password prompt for the revocation certificate that I
can't control doesn't really help there. If there's some way I could
manually trigger this process that would be great.


> In your case since this is an exploratory project for GSoC, the best
> approach is that if something you're trying to do is both not
> immediately apparent and if it were to be performed manually on the
> command line would produce a whole bunch of warnings to the user to
> confirm that they're sure and if they really want to do whatever it
> is; then chances are good that not only is there no way to automate
> it, but we will also advise against trying to do so by circumventing
> those warnings. 

I definitely need to keep this in mind.

Thanks,
Jacob

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20180710/db2890d1/attachment-0001.sig>


More information about the Gnupg-devel mailing list