On Thu, Apr 26, 2018 at 07:56:52AM +1000, Ed Schofield wrote: > Hi everyone! > > We're looking for more speakers for the Melbourne Python user group > (in May and beyond). This is an opportunity to connect with the > Python community, get the word out about something important, or get > feedback. You may be interested if ...
To quote _John Wick_, “A talk, you say … ” Actually things have been insanely hectic this year and are likely to remain that way for quite some time. Maybe they'll settle down a bit later in the year, but probably not until next year at the earliest (it depends on too many external factors to be sure). In fact, I'd not only forgotten I was on this list, I'd forgotten it even existed, and only rediscovered it when checking for something else entirely. Still, given the cause of some of my hectic schedule and your questions it seemed appropriate to say something … > You're working on an interesting Python-related project that the > world should know about? Oh my word, yes indeed … > You've discovered an amazing new Python-related tool recently? Does it count as a discovery if you're responsible for porting it from 2 to 3 and then getting that version reincorporated into the parent project as official bindings for that parent project? ;) > You'd like to share your experiences learning Python ... or using it > in your workplace? Well, I certainly learned a lot (though somewhat beyond learning the language) and indeed still am. As for the workplace part, the aforementioned parent project is now employing me so that counts too. > You'd like a trial run for a potential talk at PyCon AU in August? There is no chance of me even attending a PyCon for the foreseeable future; for reasons tangentially related to aspects of why I work on cryptographic projects in the first place. > If so .. please let me (or the list) know! Right, time to stop being cryptic. In 2015 I ported John Goerzen's old PyME project (version 0.9.0) from Python 2 to Python 3. PyME utilised SWIG to generate Python to C bindings for GPGME, the C API for the GNU Privacy Guard (aka the GnuPG Project, aka GPG). As PyME had always been licensed under the same dual licensing model as the rest of the GnuPG Project (GPLv2+ and LGPLv2.1+), it was able to be seamlessly committed back into the parent project a few months after waving it under Werner's nose. The following year it received a significant overhaul by Justus Winter, formerly of g10code, in order to make it work with both Python 2.7 and from Python 3.4 and above. It also gained a module rename (to "gpg") and the addition of a more pythonic layer between the lower level bindings and developers. When Justus moved on from g10code towards the end of last year, Werner needed a Python maintainer and I returned to take up stewardship of the bindings. Since the package utilises SWIG to dynamically generate these bindings, they are the most feature complete bindings to GPGME of any language aside, of course, from C itself. With Python being what it is, the options to provide easier access for other languages without needing to write specific bindings for them is already planned. The module works on any POSIX system and though there are frequent reports of failures on Windows system, recent investigations indicate that may be solved soon (assuming Andre and I are right about the cause). Now the juicy part, the brief demonstration of why you should care. With the newer and more pythonic layer, this module is actually easier to use than either the python-gnupg wrapper module or Isis Lovecruft's fork. There is no need to set any configuration parameters since it will find your default ~/.gnupg directory, though that can be overridden if you want; unlike both of those wrapper modules. There's also no risk of shell related exploits since it hooks directly into GPGME itself, likewise there is no need to configure a binary file for GPG since the functions aren't called that way. Oh, also no risk of passing your passphrase into Python's memory since GPGME invokes gpg-agent and pinentry. As for how easy it is, well, here's how to use the information in the headers of this email to import my key and then export it to a file. For this demonstration I'm also using an alternate temporary configuration directory made a few minutes prior to running these commands: Python 3.7.0 (default, Jun 29 2018, 13:09:59) >>> import gpg >>> import requests >>> c = gpg.Context(home_dir="~/.gnupg-temp") >>> url = "http://www.adversary.org/ben-key.asc" >>> id = "DB4724E6FA4286C92B4E55C4321E4E2373590E5D" >>> r = requests.get(url) >>> incoming = c.key_import(r.content) >>> incoming ImportResult(considered=1, imported=1, imported_rsa=0, imports=[ImportStatus(fpr='DB4724E6FA4286C92B4E55C4321E4E2373590E5D', result=0, status=1)], new_revocations=0, new_signatures=0, new_sub_keys=0, new_user_ids=0, no_user_id=0, not_imported=0, secret_imported=0, secret_read=0, secret_unchanged=0, skipped_new_keys=0, skipped_v3_keys=0, unchanged=0) >>> incoming.imported 1 >>> incoming.imports[0].fpr == id True >>> with open("/tmp/ben_key.gpg", "wb") as f: ... f.write(c.key_export(pattern=id)) ... 75439 >>> Then to check in a shell: bash-4.4$ ls -l /tmp/ben_key.gpg -rw-r--r-- 1 ben wheel 75439 10 Jul 09:57 /tmp/ben_key.gpg bash-4.4$ file /tmp/ben_key.gpg /tmp/ben_key.gpg: PGP/GPG key public ring (v4) created Sat Jul 28 22:57:31 2012 RSA (Encrypt or Sign) 4096 bits MPI=0xc3b0a5435cfc5b63... bash-4.4$ Which, of course, matches: bash-4.4$ gpg --homedir .gnupg-temp -k /home/ben/.gnupg-temp/pubring.kbx ---------------------------------- pub rsa4096 2012-07-28 [SC] DB4724E6FA4286C92B4E55C4321E4E2373590E5D uid [ unknown] Ben McGinnes <ben @ adversary . org> uid [ unknown] Ben McGinnes <ben @ gnupg . org> sub rsa3072 2012-07-28 [S] sub elg4096 2012-07-28 [E] sub dsa3072 2017-12-27 [S] bash-4.4$ And back in my real homedir: bash-4.4$ gpg -K DB4724E6FA4286C92B4E55C4321E4E2373590E5D sec rsa4096/0x321E4E2373590E5D 2012-07-28 [SC] DB4724E6FA4286C92B4E55C4321E4E2373590E5D uid [ultimate] Ben McGinnes <ben @ adversary . org> uid [ultimate] Ben McGinnes <ben @ gnupg . org> ssb rsa3072/0x7FF2D37135C7553C 2012-07-28 [S] ssb elg4096/0xC98BAA1862E4484D 2012-07-28 [E] ssb dsa3072/0x48723A7579041EC6 2017-12-27 [S] bash-4.4$ Note: three UIDs have been removed and obviously two have been modified to delay the spambot brigade by half a second or so ... For those of you wondering about secret key exports. Yes, you can and it's as easy as c.key_export_secret(). It still requires the passphrase, though (of course). Not only that, but it even comes with a shiny new-ish HOWTO. The official version of which is in the lang/python/docs/ directory in GPGME distributions, but the unofficial draft version (sometimes containing material slightly ahead of what goes into the official org-mode file) lives over here: http://files.au.adversary.org/crypto/gpgme-python-howto/webhelp/index.html Alternatively, if you don't mind accepting wildcard SSL certificates for AWS S3 buckets for other domains, you can also access it here: https://files.au.adversary.org/crypto/gpgme-python-howto/webhelp/index.html Those links are probably a little easier to follow since they also experiment with alternative documentation methods. The python bindings source is here: https://dev.gnupg.org/source/gpgme/browse/master/lang/python/ The official docs are here: https://dev.gnupg.org/source/gpgme/browse/master/lang/python/docs/ And the scripts referenced in the HOWTO are here: https://dev.gnupg.org/source/gpgme/browse/master/lang/python/examples/howto/ Anyway, as I said, things are very busy for me at the moment and I can't guarantee when or even if I'd be able to deliver a talk even locally anytime soon, but there should be enough here for my fellow Melbournian pythonistas to start taking advantage of this work. There's already very clear examples of encryption, decryption, signing and verifying and a little more besides (the HOWTO includes creating keys and subkeys). It is, of course, very good for securing any data at rest and requiring a user to authorise its use. No doubt there are plenty of scenarios for which that will be appropriate (including the one which led me to perform the port in the first place, though this work is *far* more important than that project was). If nothing else you can all at least share the joke every time Malcolm Turnbull or Peter Dutton start talking about how they're going to control cryptography in Australia. ;) If you do find it useful, though, or even if you've just found GPG useful over the years, consider donating to the project. https://gnupg.org/donate/index.html It very nearly didn't survive and would have ended a few years ago, but only Edward Snowden's revelations and highlighting its value saved it at the last moment. Given how much really depends on it (e.g. all your favourite package managers), it really should feature a little higher on the donations priorities. Regards, Ben P.S. Yes, I have completed the ITAR compliance questionaire through the ADF website and this is all fine. There's a GPG signed copy of the results in one of my branches on git.gnupg.org (but I can't remember which branch it's in).
signature.asc
Description: PGP signature
_______________________________________________ melbourne-pug mailing list melbourne-pug@python.org https://mail.python.org/mailman/listinfo/melbourne-pug