Anyone using GPG or PGP encryption/signatures in your Python apps?

geremy condra debatem1 at gmail.com
Fri Jul 2 03:39:12 EDT 2010 

On Thu, Jul 1, 2010 at 11:48 AM,  <python at bdurham.com> wrote:
> Curious if any of you are using GPG or PGP encryption and/or signatures
> in your Python apps?

Yes; disclaimer: I'm the author of evpy and am currently working on a
openssl wrapper proposed for inclusion in the stdlib.

> In particular are you:
>
> 1. clearsigning specific emails?

Yes; I use python-gnupg.

> 2. validating clearsigned emails from others?

Yes, see above.

> 3. encrypting/decrypting files?

Yes, I use evpy.

> 4. generating signatures for files that you are exchanging/posting for
> download?

Yes, evpy again.

> 5. what public keyring services are you using?

Can't comment on this as I don't use them.

> I'm also looking for recommendations on which 3rd party modules you're
> using for these tasks? In particular is there a particular module you
> prefer or have concerns about?

Obviously I'm biased towards evpy, but I'm a really, really big fan of
people not rolling their own crypto. It sounds like for most of what
you want to do gpg or python-gnupg are pretty good options.

> Here's my short list of modules that *might* support encryption and
> signing in general:
>
> - m2crypto

Supports encryption and signing; a high quality library with much to
recommend it, assuming you need the full power of openssl and are
able to use SWIG'd software. I think you probably have easier to
use alternatives here, though.

> - pycrypto (standalone or with expycrypto or yawpycrypto wrappers)

pycrypto is a good library as far as it goes, but I see a lot of
nonexperts do things very badly with it, and AFAICS it hasn't seen
the same level of scrutiny that something like openssl has,
especially WRT side channel cryptanalysis. That's very worrying.

> - tlslite
> - pyme

no experience here, can't comment.

> - evpy

I like it ;). It supports encryption (public and private key) as well
as signing and verification routines, and as long as you know
your threat model it's reasonably hard to screw up. Having said
that, it doesn't do anything with the web of trust or key revocation
etc OOTB, so if what you're really looking for is gpg in python, use
the right tool for the job.

> - python-gnupg (by developer of Python's logging module)

I use it and like it for the reasons above.

> Any comments on using the subprocess module to wrap the gpg or openssl
> command line utilities? This seems to be a common technique for
> encryption and signing solutions and appears to the technique used by
> python-gnupg (for example).

Seems fine, just make sure you know and trust where your keys are
going.

Geremy Condra

More information about the Python-list mailing list