Comments (3)
brianredbeard
commented on June 30, 2024
One initial thought was to simply document adding --trusted-key to the options. Unfortunately though that flag isn't whitelisted.
Another theorized workaround was to use something like:
gpghome = tempfile.mkdtemp(prefix='coreos')
config = open(os.path.join(gpghome,"gpg.conf"),"a+")
config.write("trusted-key 0x50E0885593D2DCB4\n")
config.close()
gpg = gnupg.GPG(homedir=gpghome)
gpg.import_keys(COREOS_PUB_KEY)Alas, while this writes the file correctly, it's not processed because of the use of --no-options in the default flags passed to gpg.
from python-gnupg.
fivetonsflax
commented on June 30, 2024
Any thoughts on this, Isis?
from python-gnupg.
isislovecruft
commented on June 30, 2024
@brianredbeard @fivetonsflax Going with the --edit-keys feature would be the "best" way to go, however doing so would likely be rather complicated, we'd have to probably use something like expect to script what we expect the output to be. However, the output in the interactive --edit-keys menu is extremely variable between GnuPG versions, and we'd need to provide other careful manipulations such as to ensure that the output we're running an expect statement on is in English, etc.
The easier way to go would be the --trusted-key feature, although that would cause any signatures (even certification signatures made on other keys) which have been created by the "trusted-key" to be calculated to be trustable at the same level as if the user had made those signatures themself with one of their own secret keys.
@brianredbeard Yes, we use --no-options so that the parsers aren't bypassed via options placed into a config file. That is, we purposefully don't support config files. (Doing so would also add compatibility/debugging issues, as the commands which were actually issued to the GnuPG binary wouldn't be the ones which python-gnupg meant to issue, and we'd likely get users complaining that python-gnupg had broken something without realising they had some incompatible settings in their config file.)
@brianredbeard One workaround which could be used is to add --trusted-key KEYID to the gnugp.GPG.options list. Any flags which are allowed and are within gnupg.GPG.options will get appended to all commands run thereafter. However, python-gnupg's commandline/flag parser acts as a whitelist (in order to avoid the shell injection which "upstream" a.k.a. Vinay Sajip's version of python-gnupg is vulnerable to), and --trusted-key isn't currently within any of the whitelisted flag groups… so… just adding --trusted-key KEYID to gnupg.GPG.options currently won't work, as that whitelist will reject it. If --trusted-key were added to the flags whitelist (specifically, it should go in the hex_options frozenset in the gnupg._parsers._get_options_group() function), then this would work, and the validity of any KEYID listed afterwards would be automatically checked by gnupg._parsers._is_hex() function.
from python-gnupg.
Related Issues (20)
- ValueError: Unknown status message: 'ERROR'
- Silence log message generated upon import
- Version parsing from gpg on windows fails, given a '\r' line end output instead of '\n' from gpg.exe
- Fail to install on Fedora 30 - no folder /usr/lib/rpm/redhat/ HOT 3
- decrypt function, passphrase arg doesn't work HOT 1
- daemon with restart crash because of _check_sane_and_get_gpg_version
- Deprecation warning due to invalid escape sequences in Python 3.7
- python-gnupg on 3.7 HOT 1
- Question: Understanding recipients parameters for encrypting files HOT 1
- keytocard function?
- TypeError: _encrypt() got multiple values for argument 'recipients' HOT 1
- gnupg path in Glue
- encrypt_file not work on Linux and Unix
- international characters filename - not encrypting
- Unable to import private key with passpharse HOT 4
- encrypt() with recipient's email address (instead of key fingerprint)? HOT 3
- Sign function incorrectly strips one trailing CRLF
- How to read in a private key and return its public key?
- How to export minimal key?
- self.status is None:
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from python-gnupg.