From: python on
Curious if any of you are using GPG or PGP encryption and/or signatures
in your Python apps?

In particular are you:

1. clearsigning specific emails?
2. validating clearsigned emails from others?
3. encrypting/decrypting files?
4. generating signatures for files that you are exchanging/posting for
download?
5. what public keyring services are you using?

I'm also looking for recommendations on which 3rd party modules you're
using for these tasks? In particular is there a particular module you
prefer or have concerns about?

Here's my short list of modules that *might* support encryption and
signing in general:

- m2crypto
- pycrypto (standalone or with expycrypto or yawpycrypto wrappers)
- tlslite
- pyme
- evpy
- python-gnupg (by developer of Python's logging module)

Any comments on using the subprocess module to wrap the gpg or openssl
command line utilities? This seems to be a common technique for
encryption and signing solutions and appears to the technique used by
python-gnupg (for example).

Thank you,
Malcolm

From: Steve on
On Jul 2, 4:48 am, pyt...(a)bdurham.com wrote:
> Curious if any of you are using GPG or PGP encryption and/or signatures
> in your Python apps?
>
> In particular are you:
>
> 1. clearsigning specific emails?
> 2. validating clearsigned emails from others?
> 3. encrypting/decrypting files?
> 4. generating signatures for files that you are exchanging/posting for
> download?
> 5. what public keyring services are you using?
>
> I'm also looking for recommendations on which 3rd party modules you're
> using for these tasks? In particular is there a particular module you
> prefer or have concerns about?
>
> Here's my short list of modules that *might* support encryption and
> signing in general:
>
> - m2crypto
> - pycrypto (standalone or with expycrypto or yawpycrypto wrappers)
> - tlslite
> - pyme
> - evpy
> - python-gnupg (by developer of Python's logging module)
>
> Any comments on using the subprocess module to wrap the gpg or openssl
> command line utilities? This seems to be a common technique for
> encryption and signing solutions and appears to the technique used by
> python-gnupg (for example).
>
> Thank you,
> Malcolm

I used python-gnupg successfully to create some Django utilities for
sending encrypted email.

You can grab the source code at http://github.com/stephenmcd/django-email-extras

Cheers,
Steve
From: geremy condra on
On Thu, Jul 1, 2010 at 11:48 AM, <python(a)bdurham.com> wrote:
> Curious if any of you are using GPG or PGP encryption and/or signatures
> in your Python apps?

Yes; disclaimer: I'm the author of evpy and am currently working on a
openssl wrapper proposed for inclusion in the stdlib.

> In particular are you:
>
> 1. clearsigning specific emails?

Yes; I use python-gnupg.

> 2. validating clearsigned emails from others?

Yes, see above.

> 3. encrypting/decrypting files?

Yes, I use evpy.

> 4. generating signatures for files that you are exchanging/posting for
> download?

Yes, evpy again.

> 5. what public keyring services are you using?

Can't comment on this as I don't use them.

> I'm also looking for recommendations on which 3rd party modules you're
> using for these tasks? In particular is there a particular module you
> prefer or have concerns about?

Obviously I'm biased towards evpy, but I'm a really, really big fan of
people not rolling their own crypto. It sounds like for most of what
you want to do gpg or python-gnupg are pretty good options.

> Here's my short list of modules that *might* support encryption and
> signing in general:
>
> - m2crypto

Supports encryption and signing; a high quality library with much to
recommend it, assuming you need the full power of openssl and are
able to use SWIG'd software. I think you probably have easier to
use alternatives here, though.

> - pycrypto (standalone or with expycrypto or yawpycrypto wrappers)

pycrypto is a good library as far as it goes, but I see a lot of
nonexperts do things very badly with it, and AFAICS it hasn't seen
the same level of scrutiny that something like openssl has,
especially WRT side channel cryptanalysis. That's very worrying.

> - tlslite
> - pyme

no experience here, can't comment.

> - evpy

I like it ;). It supports encryption (public and private key) as well
as signing and verification routines, and as long as you know
your threat model it's reasonably hard to screw up. Having said
that, it doesn't do anything with the web of trust or key revocation
etc OOTB, so if what you're really looking for is gpg in python, use
the right tool for the job.

> - python-gnupg (by developer of Python's logging module)

I use it and like it for the reasons above.

> Any comments on using the subprocess module to wrap the gpg or openssl
> command line utilities? This seems to be a common technique for
> encryption and signing solutions and appears to the technique used by
> python-gnupg (for example).

Seems fine, just make sure you know and trust where your keys are
going.

Geremy Condra
From: Stef Mientki on
On 02-07-2010 09:39, geremy condra wrote:
> On Thu, Jul 1, 2010 at 11:48 AM, <python(a)bdurham.com> wrote:
>> Curious if any of you are using GPG or PGP encryption and/or signatures
>> in your Python apps?
> Yes; disclaimer: I'm the author of evpy and am currently working on a
> openssl wrapper proposed for inclusion in the stdlib.
Great Geremy !,
but it's difficult to find,
and I couldn't find any documentation.
Did I not look at the right places ?

thanks
Stef Mientki