[cryptography] OpenPGP in Python: Security evaluations?

Ruben Pollan meskio at sindominio.net
Tue Apr 21 12:16:36 EDT 2015

Quoting Fabio Pietrosanti (naif) - lists (2015-04-21 12:34:39)
> for any developer willing to use OpenPGP with a python developed
> application currently the main choice is to go with python-gnupg, that's
> a wrapper on top of GnuPG binary (https://pythonhosted.org/python-gnupg/).

There is a fork of this project that tries to fix some security concerns of it:

I think mailpile also has their own gnupg wrapper in python, but AFAIK is not a 
library that can be reused.

> That's architecturally a very bad choice, plenty of constraint (for
> example you need to enable "/bin/sh" execution under apparmor sandboxing
> profile of a python application under Linux).
> Currently there are only two pure-python OpenPGP implementation:
> * PGPy: https://github.com/SecurityInnovation/PGPy
> * OpenPGP-Python: https://github.com/singpolyma/OpenPGP-Python

If you are searching just for a OpenPGP parser there is also this one:

> Both stacks rely on Python Cryptography for Cryptographic primitives
> implementations https://pypi.python.org/pypi/cryptography .
> We're considering switching away from GnuPG for the server-side PGP
> processing and would like to ask an opinion to the list about those
> implementations.
> Are there anyone engaging in metrics to evaluate the security of an
> OpenPGP implementation and/or already evaluated PGPy/OpenPGP-Python ?

I'll be interested too to know if there is any of that, I didn't have a look in 
depth to anything besides Isis's python-gnupg.

Ruben Pollan  | http://meskio.net/
 My contact info: http://meskio.net/crypto.txt
Nos vamos a Croatan.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: signature
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20150421/bcdb3ed2/attachment.asc>

More information about the cryptography mailing list