[cryptography] OpenPGP in Python: Security evaluations?

Fabio Pietrosanti (naif) - lists lists at infosecurity.ch
Fri Jun 12 06:39:16 EDT 2015



On 6/12/15 6:05 AM, Michael Greene wrote:
> Hello there, I am the author of PGPy - I figured I’d chime in here, even
> though I have clearly noticed this discussion a little bit late.
> 
> When I decided that taking up the project of building a pure-Python
> OpenPGP implementation would be worthwhile, I did so after evaluating
> all of the existing Python libraries I could manage to find. The main
> reason I started the project was because very nearly all of the Python
> libraries for working with PGP were either wrappers around the gpg
> binary, or GPGME bindings (which itself is a wrapper around the gpg
> binary, but written in C).

I'm a fan of PGPy approach, because it rely on native crypto but
implement the OpenPGP packets formats in pure python enabling full
application control without having to do dirty stuff (such as
python-gnupg relying on gpg making executing gpg in /dev/shm/ leading to
tons of issues).

The integration of third party security software based on execution of
cmdline is very dirty, architectually speaking, and most gpg and Tor
library must do that.

Regarding GPGME, is it really exec()uting the gpg binary or is it
calling directly the gpg as a library?

We're considering switching the server-side operations of GPG of
GlobaLeaks to PGPy or OpenPGP-Python, given proper streaming support
(for memory/buffering reasons) and a public security audit that can be
arranged.

For PGPy i really suggest to make a wrapper API to facilitate
replacement of python-gnupg with PGPy.

-- 
Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights
http://logioshermes.org - https://globaleaks.org - https://tor2web.org -
https://ahmia.fi


More information about the cryptography mailing list