[cryptography] OpenPGP in Python: Security evaluations?

Kristian Fiskerstrand kristian.fiskerstrand at sumptuouscapital.com
Tue Apr 21 12:30:58 EDT 2015



[Sent from my iPad, as it is not a secured device there are no cryptographic keys on this device, meaning this message is sent without an OpenPGP signature. In general you should *not* rely on any information sent over such an unsecure channel, if you find any information controversial or un-expected send a response and request a signed confirmation]

> On 21 Apr 2015, at 18:16, Ruben Pollan <meskio at sindominio.net> wrote:
> 
> Quoting Fabio Pietrosanti (naif) - lists (2015-04-21 12:34:39)
>> for any developer willing to use OpenPGP with a python developed
>> application currently the main choice is to go with python-gnupg, that's
>> a wrapper on top of GnuPG binary (https://pythonhosted.org/python-gnupg/).
> 
> There is a fork of this project that tries to fix some security concerns of it:
> https://github.com/isislovecruft/python-gnupg
> 
> I think mailpile also has their own gnupg wrapper in python, but AFAIK is not a 
> library that can be reused.
> 
>> That's architecturally a very bad choice, plenty of constraint (for
>> example you need to enable "/bin/sh" execution under apparmor sandboxing
>> profile of a python application under Linux).

That might be less dangerous than implementing crypto on our own, and ensure compatibility with the user base. Anyhow, there is also https://github.com/dol-sen/pyGPG that is used for e.g gentoo-keys (also operating like a library wrapping gpg exe)


More information about the cryptography mailing list