|
Size: 4702
Comment: Better description of GnuPG. Adding commend about how to access GnuPG functions.
|
← Revision 33 as of 2019-07-20 01:38:31 ⇥
Size: 6895
Comment: update package info - can't verify CentOS / RedHat info and looking at package contents the library given seems to be the wrong one so deleting for now.
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 4: | Line 4: |
| [[http://www.gnupg.org|GNU Privacy Guard]] is a Free Software Gnu GPLed implementation of the crypto standards OpenPGP and CMS (used by S/MIME). Also known as "GnuPG" or "GPG". There are several principle ways to access GnuPG functions from Python: 1. use the official GPGME library or do something more low level like 2. run the gpg commands and pipe to them. The GnuPG initiative recommends using GPGME because it provides a documented API. | |
| Line 6: | Line 5: |
| = PyMe Python interface to GPGME = [[http://pyme.sourceforge.net/|PyMe]] is a python interface to [[http://www.gnupg.org/related_software/gpgme/|GnuPG Made Easy (GPGME)]] library. |
[[http://www.gnupg.org|GNU Privacy Guard]] is a Free Software GNU GPLed implementation of the crypto standards OpenPGP and CMS (used by S/MIME). Also known as "GnuPG" or "GPG". There are a couple of principal ways to access GnuPG functions from Python programs: |
| Line 9: | Line 7: |
| GPGME is a library designed to make access to GnuPG easier for applications. It provides a high-level cryptography API for encryption, decryption, signing, signature verification, and key management. It currently uses GnuPG as its backend, but the API is not restricted to this engine. In fact, support for other backends is planned. | 1. use the official GPGME library. 1. run the gpg commands and pipe to them. |
| Line 11: | Line 10: |
| PyMe's development model is GPGME + Python + SWIG (just like m2crypto is an OpenSSL + Python + SWIG) combination which means that most of the functions and types are converted from C into Python automatically by SWIG. In short, to be able to use PyMe you need to be familiar with GPGME. | The GnuPG initiative recommends using GPGME because it provides a documented API. |
| Line 13: | Line 12: |
| = Python/GnuPG interface = The original [[http://www.amk.ca/python/code/gpg|Python/GnuPG interface]] is no longer actively maintained by amk. Please record comments, recipes, and patches on this Wiki page. If anyone wants to maintain the module and needs a CVS repository to store the code, just ask for write permission to the [[http://www.sf.net/projects/pycrypto/|pycrypto project on SourceForge]]. |
= Accessing GnuPG via gpgme = |
| Line 17: | Line 14: |
| = News Flash! = I've added a great deal to amk's GPG.py, building on Richard Jones' 1.3 update and adding more support for the decryption, signing, key management, bells, whistles, and so on which amk's original design implied. This is still a pure-python implementation, and requires nothing that is not in Python 2.2.1 or later, other than the gpg executable itself. This is *not* a drop-in replacement; I needed to make some interface changes to support decryption and to better abstract the internals of returned objects -- it might want to be called GPG2.py (or maybe something like GPGng.py to prevent confusion with anything related to gnupg version 2 -- ideas welcome, as well as opinions on whether the name needs to be changed in the first place). |
[[https://gnupg.org/software/gpgme/index.html|GPGME]] is the official library for accessing GNU Privacy Guard from programs. Although there are [[https://pypi.org/project/gpg/|python bindings for GPGME]] included within PyPi which could be installed with `pip`, this is not recommended by the GPG project and is unlikely to work since the PyPi library version would have to exactly match the version of GNUPG installed on your system. Instead either |
| Line 20: | Line 16: |
| I don't know yet where the new module's permanent home is going to be, but as of this writing (July 2005) you can find it in the [[http://trac.t7a.org/isconf|ISconf]] SVN Repository at http://trac.t7a.org/isconf/file/trunk/lib/python/isconf/GPG.py. The right thing for me (or someone) to do going forward will be to confirm the license with amk and/or re-publish under the GPL, and post it somewhere more permanent. If you do any of this before I get to it, then please update this page. -- SteveTraugott |
* install and use the version available with your operating system (see table below) or * build gpgme and the associated language bindings and [[https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=blob_plain;f=INSTALL;hb=HEAD|install from source]] |
| Line 23: | Line 20: |
| = News Update! = Just four years on (July 2009) from Steve Traugott's sterling work mentioned above, I've updated the module (now called gnupg.py to avoid confusion) and made it available (under the New BSD License) at http://code.google.com/p/python-gnupg/ - it uses the subprocess module and so is easiest to use under Pythons >= 2.4. A unittest harness is also included. |
The manual is currently missing from the various python documentation repositories but there is an [[https://files.au.adversary.org/crypto/gpgme-python-howto.html|online manual at adversary.org]] ( /!\ bad HTTPS certificate at time of writing). |
| Line 26: | Line 22: |
| = GnuPGInterface = | == per operating system install instructions == |
| Line 28: | Line 24: |
| [[http://py-gnupg.sourceforge.net/|GnuPGInterface]] is a Python module to interface with GnuPG. (This is a different project than the one mentioned above.) It concentrates on interacting with GnuPG via filehandles, providing access to control GnuPG via versatile and extensible means. |
The following commands should install gpgme's python library on various operating systems |
| Line 32: | Line 26: |
| This module is based on GnuPG::Interface, a Perl module by the same author. Unfortunately, like the related Perl module it is not very easy to use. | || '''operating system''' || '''package''' || '''example command''' || || [[https://alpinelinux.org/|alpine]] || py3-gpgme || {{{apk add py3-gpgme}}} || || [[https://www.debian.org/|debian]] || python3-gpg || {{{apt install python3-gpg}}} || || MacOS ([[https://brew.sh/|homebrew]]) || gpgme || {{{brew install gpgme}}} || || [[https://ubuntu.com/|Ubuntu]] || python3-gpg || {{{apt install python3-gpg}}} || |
| Line 34: | Line 32: |
| = openpgp = | = Running gpg executables = |
| Line 36: | Line 34: |
| Another worthy successor might be the [[http://pypi.python.org/pypi/OpenPGP/|Python opengpg]] which also uses the [[http://www.amk.ca/python/code/crypto.html|Python Crypto Toolkit]]. | There are multiple libraries which drive the gpg binary as a program and interpret its output. This approach is older and more mature than the library but is not recommended and has lead to a number of vulnerabilities both in the python modules, related systems and other programs such as email programs which work in this way. |
| Line 38: | Line 36: |
| = cryptlib = | == pretty-bad-protocol == |
| Line 40: | Line 38: |
| [[http://www.cs.auckland.ac.nz/~pgut001/cryptlib/|cryptlib]] also offers access to [[http://www.openpgp.org/|OpenPGP]] methods. It has a python-interface, but it's not natural at all. | [[https://pypi.org/project/pretty-bad-protocol/|pretty-bad-protocol]] is a rewrite of python-gnupg with a more conservative coding approach. This library can be installed with: |
| Line 42: | Line 40: |
| = pgp-mime = | {{{python -m pip install pretty-bad-protocol}}} |
| Line 44: | Line 42: |
| [[http://pypi.python.org/pypi/pgp-mime/|pgp-mime]] makes it easy to construct, verify, and send signed and/or encrypted email. It uses a [[http://pypi.python.org/pypi/pyassuan/|pyassuan]]-based connection to [[http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=blob;f=src/gpgme-tool.c;hb=HEAD|gpgme-tool]] for the cryptography, which is isolated in a {{{pgp_mime.crypt}}} module if you don't need the extra email-handling functionality. | improvements over `python-gnupg` include whitelisting of `gpg` program output designed to protect against vulnerabilities caused by changes in the program output. == python-gnupg == [[https://pypi.org/project/python-gnupg/|python-gnupg]] is the most widely used and recommended library. This library has had multiple vulnerabilities in the past, however it is under active development so currently known vulnerabilities are believed to have been fixed. It can be installed with: {{{python -m pip install python-gnupg}}} = history = Not mentioned in this history there are a number of other old libraries which were built to support access to GNU Privacy Guard. These probably should not be used in new projects. == history of libraries that call the gpg program == The original Python/GnuPG interface was written by [[http://amk.ca/|amk]]. This was updated in 2005 by SteveTraugott to GPG.py 2005 using pipes) building on Richard Jones' 1.3 update and adding more support for the decryption, signing, key management, bells, whistles, and so on which amk's original design implied. This was still a pure-python implementation for Python 2.2.1 requiring only gpg executable itself. This was *not* a drop-in replacement. In parallel with the GnuPG interface a separate [[https://pypi.org/project/GnuPGInterface/|GnuPGInterface]] was released in 2002. This project has not been updated since 2006 and the project pages are now broken so it should no longer be used in new software. It concentrates on interacting with GnuPG via filehandles, providing access to control GnuPG via versatile and extensible means. After four years from Steve Traugott's work, in July 2009 Vinay Sajip updated the module (now called gnupg.py to avoid confusion) and made it available (under the New BSD License) in tarballs on Google Code. The new version uses the subprocess module and so is easiest to use under Pythons >= 2.4. A unittest harness was also included. In 2013, in response to vulnerabilities in python-gnupg, a fork was made by Isis Lovecruft, this was initially available on PyPi as `gnupg` but has now been [[https://blog.patternsinthevoid.net/pretty-bad-protocolpeople.html|renamed to pretty-bad-protocol]] to avoid any confusion. This library has now completely rewritten the original and has not been vulnerable to some vulnerabilities which have been found in python-gnupg since. == pgpme based libraries history == GPGME was originally released as a C library. A library exposing the gpgme library to Python, [[http://pyme.sourceforge.net/|PyMe]] was released which provided bindings for this. PyMe's development model was based on GPGME + Python + SWIG (just like m2crypto is an OpenSSL + Python + SWIG) meaning that most of the functions and types were converted from C into Python automatically by SWIG. That library has [[https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=blob;f=lang/python/README;hb=HEAD|now been merged into GPGME]] and is supposed to be maintained there. [[https://launchpad.net/pygpgme|pygpgme]] ([[https://pypi.org/project/pygpgme/|PyGPGME on PyPi]]) was started by James Henstridge. Beside Python2 it supports Python 3 since v0.3 (March 2012). The wrapping is done using python's C interface directly without using a generator tool like SWIG. This project has not been updated since 2013 and should probably be considered obsolete. = related libraries = The following libraries work with GNU PG to provide other functions. == pgp-mime (using the assuan protocol to gpgme-tool) == [[http://pypi.python.org/pypi/pgp-mime/|pgp-mime]] makes it easy to construct, verify, and send signed and/or encrypted email. It uses a [[http://pypi.python.org/pypi/pyassuan/|pyassuan]]-based connection to [[http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=blob;f=src/gpgme-tool.c;hb=HEAD|gpgme-tool]] for the cryptography, which is isolated in a {{{pgp_mime.crypt}}} module if you don't need the extra email-handling functionality. This currently uses gpgme by running {{{gpgme-tool}}} via {{{subprocess}}}. This module was created in 2012 and does not seem to have been updated since then so may not be suitable for production use. |
Contents
General information
GNU Privacy Guard is a Free Software GNU GPLed implementation of the crypto standards OpenPGP and CMS (used by S/MIME). Also known as "GnuPG" or "GPG". There are a couple of principal ways to access GnuPG functions from Python programs:
- use the official GPGME library.
- run the gpg commands and pipe to them.
The GnuPG initiative recommends using GPGME because it provides a documented API.
Accessing GnuPG via gpgme
GPGME is the official library for accessing GNU Privacy Guard from programs. Although there are python bindings for GPGME included within PyPi which could be installed with pip, this is not recommended by the GPG project and is unlikely to work since the PyPi library version would have to exactly match the version of GNUPG installed on your system. Instead either
- install and use the version available with your operating system (see table below)
or
build gpgme and the associated language bindings and install from source
The manual is currently missing from the various python documentation repositories but there is an online manual at adversary.org ( ![/!\](/wiki/europython/img/alert.png "/!\"){kind=small}
bad HTTPS certificate at time of writing).
per operating system install instructions
The following commands should install gpgme's python library on various operating systems
operating system |
package |
example command |
py3-gpgme |
apk add py3-gpgme |
|
python3-gpg |
apt install python3-gpg |
|
MacOS (homebrew) |
gpgme |
brew install gpgme |
python3-gpg |
apt install python3-gpg |
Running gpg executables
There are multiple libraries which drive the gpg binary as a program and interpret its output. This approach is older and more mature than the library but is not recommended and has lead to a number of vulnerabilities both in the python modules, related systems and other programs such as email programs which work in this way.
pretty-bad-protocol
pretty-bad-protocol is a rewrite of python-gnupg with a more conservative coding approach. This library can be installed with:
python -m pip install pretty-bad-protocol
improvements over python-gnupg include whitelisting of gpg program output designed to protect against vulnerabilities caused by changes in the program output.
python-gnupg
python-gnupg is the most widely used and recommended library. This library has had multiple vulnerabilities in the past, however it is under active development so currently known vulnerabilities are believed to have been fixed. It can be installed with:
python -m pip install python-gnupg
history
Not mentioned in this history there are a number of other old libraries which were built to support access to GNU Privacy Guard. These probably should not be used in new projects.
history of libraries that call the gpg program
The original Python/GnuPG interface was written by amk. This was updated in 2005 by SteveTraugott to GPG.py 2005 using pipes) building on Richard Jones' 1.3 update and adding more support for the decryption, signing, key management, bells, whistles, and so on which amk's original design implied. This was still a pure-python implementation for Python 2.2.1 requiring only gpg executable itself. This was *not* a drop-in replacement.
In parallel with the GnuPG interface a separate GnuPGInterface was released in 2002. This project has not been updated since 2006 and the project pages are now broken so it should no longer be used in new software. It concentrates on interacting with GnuPG via filehandles, providing access to control GnuPG via versatile and extensible means.
After four years from Steve Traugott's work, in July 2009 Vinay Sajip updated the module (now called gnupg.py to avoid confusion) and made it available (under the New BSD License) in tarballs on Google Code. The new version uses the subprocess module and so is easiest to use under Pythons >= 2.4. A unittest harness was also included.
In 2013, in response to vulnerabilities in python-gnupg, a fork was made by Isis Lovecruft, this was initially available on PyPi as gnupg but has now been renamed to pretty-bad-protocol to avoid any confusion. This library has now completely rewritten the original and has not been vulnerable to some vulnerabilities which have been found in python-gnupg since.
pgpme based libraries history
GPGME was originally released as a C library. A library exposing the gpgme library to Python, PyMe was released which provided bindings for this. PyMe's development model was based on GPGME + Python + SWIG (just like m2crypto is an OpenSSL + Python + SWIG) meaning that most of the functions and types were converted from C into Python automatically by SWIG. That library has now been merged into GPGME and is supposed to be maintained there.
pygpgme (PyGPGME on PyPi) was started by James Henstridge. Beside Python2 it supports Python 3 since v0.3 (March 2012). The wrapping is done using python's C interface directly without using a generator tool like SWIG. This project has not been updated since 2013 and should probably be considered obsolete.
related libraries
The following libraries work with GNU PG to provide other functions.
pgp-mime (using the assuan protocol to gpgme-tool)
pgp-mime makes it easy to construct, verify, and send signed and/or encrypted email. It uses a pyassuan-based connection to gpgme-tool for the cryptography, which is isolated in a pgp_mime.crypt module if you don't need the extra email-handling functionality. This currently uses gpgme by running gpgme-tool via subprocess.
This module was created in 2012 and does not seem to have been updated since then so may not be suitable for production use.