Comments (3)
One initial thought was to simply document adding --trusted-key
to the options. Unfortunately though that flag isn't whitelisted.
Another theorized workaround was to use something like:
gpghome = tempfile.mkdtemp(prefix='coreos')
config = open(os.path.join(gpghome,"gpg.conf"),"a+")
config.write("trusted-key 0x50E0885593D2DCB4\n")
config.close()
gpg = gnupg.GPG(homedir=gpghome)
gpg.import_keys(COREOS_PUB_KEY)
Alas, while this writes the file correctly, it's not processed because of the use of --no-options
in the default flags passed to gpg
.
from python-gnupg.
Any thoughts on this, Isis?
from python-gnupg.
@brianredbeard @fivetonsflax Going with the --edit-keys
feature would be the "best" way to go, however doing so would likely be rather complicated, we'd have to probably use something like expect
to script what we expect the output to be. However, the output in the interactive --edit-keys
menu is extremely variable between GnuPG versions, and we'd need to provide other careful manipulations such as to ensure that the output we're running an expect
statement on is in English, etc.
The easier way to go would be the --trusted-key
feature, although that would cause any signatures (even certification signatures made on other keys) which have been created by the "trusted-key" to be calculated to be trustable at the same level as if the user had made those signatures themself with one of their own secret keys.
@brianredbeard Yes, we use --no-options
so that the parsers aren't bypassed via options placed into a config file. That is, we purposefully don't support config files. (Doing so would also add compatibility/debugging issues, as the commands which were actually issued to the GnuPG binary wouldn't be the ones which python-gnupg meant to issue, and we'd likely get users complaining that python-gnupg had broken something without realising they had some incompatible settings in their config file.)
@brianredbeard One workaround which could be used is to add --trusted-key KEYID
to the gnugp.GPG.options
list. Any flags which are allowed and are within gnupg.GPG.options
will get appended to all commands run thereafter. However, python-gnupg's commandline/flag parser acts as a whitelist (in order to avoid the shell injection which "upstream" a.k.a. Vinay Sajip's version of python-gnupg is vulnerable to), and --trusted-key
isn't currently within any of the whitelisted flag groups… so… just adding --trusted-key KEYID
to gnupg.GPG.options
currently won't work, as that whitelist will reject it. If --trusted-key
were added to the flags whitelist (specifically, it should go in the hex_options
frozenset in the gnupg._parsers._get_options_group()
function), then this would work, and the validity of any KEYID
listed afterwards would be automatically checked by gnupg._parsers._is_hex()
function.
from python-gnupg.
Related Issues (20)
- ValueError: Unknown status message: 'ERROR'
- Silence log message generated upon import
- Version parsing from gpg on windows fails, given a '\r' line end output instead of '\n' from gpg.exe
- Fail to install on Fedora 30 - no folder /usr/lib/rpm/redhat/ HOT 3
- decrypt function, passphrase arg doesn't work HOT 1
- daemon with restart crash because of _check_sane_and_get_gpg_version
- Deprecation warning due to invalid escape sequences in Python 3.7
- python-gnupg on 3.7 HOT 1
- Question: Understanding recipients parameters for encrypting files HOT 1
- keytocard function?
- TypeError: _encrypt() got multiple values for argument 'recipients' HOT 1
- gnupg path in Glue
- encrypt_file not work on Linux and Unix
- international characters filename - not encrypting
- Unable to import private key with passpharse HOT 4
- encrypt() with recipient's email address (instead of key fingerprint)? HOT 3
- Sign function incorrectly strips one trailing CRLF
- How to read in a private key and return its public key?
- How to export minimal key?
- self.status is None:
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from python-gnupg.