Help with python library

Ben McGinnes ben at adversary.org
Sun Mar 11 06:52:45 CET 2018 

On Thu, Mar 08, 2018 at 11:29:33PM +0100, Marcel Fest wrote:
> 
> Sorry that I replied offlist, but I am not that used to mailinglists.

It's all right, just *really* inefficient.  I've been online for a
while now and had this email address for much of that time, I receive
a lot of email and if there isn't an existing rule for an address then
it'll end up in one of several catchalls (depending on which address
was used mainly).  I'll see those emails eventually, but it was pure
luck that I saw yours the same month as it was sent ... let alone the
same week.

Whereas most of my list subscriptions are filtered on the list-id
header information.

> I now use a combination of the gpgme python bindings for decryption
> and for encryption I use PGPy, because I need a dedicated keyring
> and gpgme, does not create one for me, like the gpg cli does it.

By default GPGME will use the same configuration and keyring/keybox of
the user invoking the code.  That can be changed to a custom or
alternative configuration or homedir location, but it is a little
fiddly.  Mind you, so is doing that on the command line.

> To get the keys from the KeyServers I use a customized version of a
> github project which speaks to defined KeyServers with requests.

Fair enough.  HKP and HKPS are just slightly modified HTTP and HTTPS
anyway (well, actually they haven't modified those protocols, they
just define that what's running on them is a keyserver and then define
that).

I used to do something similar when directing certain key retrievals
through tor (before it was supported natively), but now I can't recall
where I left that script.  Oh well.

> All in all I have now a working version of my CLI completely without
> subprocess bindings.

Which is excellent to hear.

> python-gnupg is good but only a cli wrapper for the gpg cli via
> subprocess.

For relative values of good.  It's okay for quick and dirty if the
only people accessing the script already have shell access, but
otherwise it's been known to have issues.  It also has a very limited
subset of GPG features and sometimes for rather surprising reasons.

> PGPy has also the support for getting issuers out of encrypted
> files.

Hmm, I suspect that most use of list-packets or pgpdump on an
encrypted message is to check the number and key IDs a message is
encrypted to prior to attempting decryption and so there's probably a
decent enough case for adding that to GPGME.  Probably the ciphers and
algorithms used too.

The other lacking item is support for groups from the gpg.conf.  I've
got a work around for that, but it's not ideal (and it's also not
online yet, I want to give it some basic testing first).


Regards,
Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20180311/124a7017/attachment.sig>

More information about the Gnupg-devel mailing list