On Thu, Jul 1, 2010 at 11:48 AM, wrote:
Curious if any of you are using GPG or PGP encryption and/or signatures
in your Python apps?
Yes; disclaimer: I'm the author of evpy and am currently working on a
openssl wrapper proposed for inclusion in the stdlib.
In particular are you:
1. clearsigning specific emails?
Yes; I use python-gnupg.
2. validating clearsigned emails from others?
Yes, see above.
3. encrypting/decrypting files?
Yes, I use evpy.
4. generating signatures for files that you are exchanging/posting for
Yes, evpy again.
5. what public keyring services are you using?
Can't comment on this as I don't use them.
I'm also looking for recommendations on which 3rd party modules you're
using for these tasks? In particular is there a particular module you
prefer or have concerns about?
Obviously I'm biased towards evpy, but I'm a really, really big fan of
people not rolling their own crypto. It sounds like for most of what
you want to do gpg or python-gnupg are pretty good options.
Here's my short list of modules that *might* support encryption and
signing in general:
Supports encryption and signing; a high quality library with much to
recommend it, assuming you need the full power of openssl and are
able to use SWIG'd software. I think you probably have easier to
use alternatives here, though.
- pycrypto (standalone or with expycrypto or yawpycrypto wrappers)
pycrypto is a good library as far as it goes, but I see a lot of
nonexperts do things very badly with it, and AFAICS it hasn't seen
the same level of scrutiny that something like openssl has,
especially WRT side channel cryptanalysis. That's very worrying.
no experience here, can't comment.
I like it ;). It supports encryption (public and private key) as well
as signing and verification routines, and as long as you know
your threat model it's reasonably hard to screw up. Having said
that, it doesn't do anything with the web of trust or key revocation
etc OOTB, so if what you're really looking for is gpg in python, use
the right tool for the job.
- python-gnupg (by developer of Python's logging module)
I use it and like it for the reasons above.
Any comments on using the subprocess module to wrap the gpg or openssl
command line utilities? This seems to be a common technique for
encryption and signing solutions and appears to the technique used by
python-gnupg (for example).
Seems fine, just make sure you know and trust where your keys are