Comments (4)
@majek I suspect that you meant x = g.sign('abc\ndef\n', passphrase='')
, right? Because the example you gave would result in a SyntaxError: x = g.sign('abc\ndef\n, passphrase='')
. :)
I can reproduce the issue, however:
(gpg)∃!isisⒶwintermute:(develop $>)~/code/riseup/python-gnupg ∴ ipython
WARNING: Attempting to work in a virtualenv. If you encounter problems, please install IPython inside the virtualenv.
In [1]: import gnupg
In [2]: gpg = gnupg.GPG(homedir='TICKET-82-homedir')
In [3]: gpg.list_keys()
Out[3]:
[{'algo': u'1',
'date': u'1416359999',
'dummy': u'',
'expires': u'',
'fingerprint': u'9758F0C8859AC9DE5234B45E3B2B001E8BFF84B3',
'keyid': u'3B2B001E8BFF84B3',
'length': u'4096',
'ownertrust': u'u',
'subkeys': [[u'95B1017FCB1C1764', u's'], [u'FB9D3DC49BBE59DC', u'e']],
'trust': u'u',
'type': u'pub',
'uids': [u'python-gnupg test key <[email protected]>']}]
In [4]: x1 = gpg.sign('abc\ndef\n', passphrase='')
In [5]: print x1.data
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
def
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJUa/DKAAoJEJWxAX/LHBdkaDsP/3mK9dHReSb87xEQ8vdAdWMX
VZNoXsmkJCTje9Mx5qMn8ksjcAf9oiUzTZ+HA7Av7/MUy5ZeIv90t6PxfC81aXjG
KMRzbY2Iag0cqy1ALSiUlrIXjOO7SHbGmeNtzcv5LO5mHPB9rk1K8qypzryZ7TQr
B0kDTnzlM+gn0c4ZIhFQuDKTvDIR4fVncia1vzLHofamdcm8k4r6OE/6w4S7f56K
vf5TFAYe+OUp/I3/ZY1TlQD9BJV3jb8I208D/4gJOK9AOf1I7oK6z+8inrI/RBw+
2mU/78d/eIljCEkZDBJLTCntnkXV7L+i8qYmMyQygEh+k/9KPLcICD1hyurxdJ6K
u+ga5NvuKd4Fph4dJ0bUC9ORPyGv/iE1lXYBAKNKeAyr+7YIHobknsgePcYneByP
DTfQIiojIVvkeG+lKu5kx4sc2qqOixoJIyfKAupTdjyOlL2moPs4HMfJqeSrvQUJ
2cqH2Q8k9mr2EmjMwPzdCwxb2yXEkU8H50K5lXrLAhBujG30qGiHP1EHgoa0x48p
8UDxihN2XtJ9LKSnc/vUz2bT+C4ELpdLJCaV3fJ3wV04T4hvzduNS/iQAJhs/2dd
ym44pcmelmvq4CqPbiPg6DyTXLK5iGXfhQ37GCayt0SYgSuyBkTCoCle/txx+t6T
DgC3euEJi4iuenIOy9X5
=x1Xm
-----END PGP SIGNATURE-----
Although, on closer inspection, you may have discovered an upstream GnuPG bug, not a bug in python-gnupg. It turns out that, in both cases (with either passphrase=''
or passphrase=None
) python-gnupg appears to be correctly passing the message to be signed 'abc\ndef\n'
to the underlying GnuPG binary:
In [6]: import logging
In [7]: gnupg._util.log.addHandler(logging.StreamHandler())
In [8]: gnupg._util.log.setLevel(5)
In [9]: x1 = gpg.sign('abc\ndef\n', passphrase='')
No 'default_key' given! Using first key on secring.
_sign_file():
Creating ascii-armoured signature for file <_io.BytesIO object at 0x7f276e631dd0>
Got arg string: --sign --armor
_make_filo(): Converted to reverse list: ['--armor', '--sign']
Got arg: --sign
Got arg: --armor
Got groups: {'--armor': '', '--sign': ''}
Appending option: --armor
Appending option: --sign
Got arg string: --clearsign
Got groups: {'--clearsign': ''}
Appending option: --clearsign
Got arg string: --digest-algo SHA512
_make_filo(): Converted to reverse list: ['SHA512', '--digest-algo']
Got arg: --digest-algo
Got value: SHA512
Got groups: {'--digest-algo': 'SHA512'}
_check_option(): No checks for SHA512
Appending option: --digest-algo SHA512
Sending command to GnuPG process:
['/usr/bin/gpg', '--no-options', '--no-emit-version', '--no-tty', '--status-fd', '2', '--homedir', 'TICKET-82-homedir', '--no-default-keyring', '--keyring', 'TICKET-82-homedir/pubring.gpg', '--secret-keyring', 'TICKET-82-homedir/secring.gpg', '--batch', '--passphrase-fd', '0', '--no-use-agent', '--armor', '--sign', '--clearsign', '--digest-algo', 'SHA512']
<Thread(Thread-15, initial daemon)>, <_io.BytesIO object at 0x7f276e631dd0>, <open file '<fdopen>', mode 'wb' at 0x7f276e5edd20>
Sending chunk 8 bytes:
abc
def
stderr reader: <Thread(Thread-16, initial daemon)>
Closed outstream: 8 bytes sent.
stdout reader: <Thread(Thread-17, initial daemon)>
Reading data from stream "<open file '<fdopen>', mode 'rb' at 0x7f276e5eded0>"...
unsafe permissions on homedir `TICKET-82-homedir'
GOOD_PASSPHRASE
BEGIN_SIGNING
SIG_CREATED C 1 10 01 1416360203 C11DB4C1C817C262C284133995B1017FCB1C1764
Read 854 bytes
Finishing reading from stream "<open file '<fdopen>', mode 'rb' at 0x7f276e5eded0>"...
Read 854 bytes total
In [10]: x2 = gpg.sign('abc\ndef\n', passphrase=None)
No 'default_key' given! Using first key on secring.
_sign_file():
Creating ascii-armoured signature for file <_io.BytesIO object at 0x7f276e631dd0>
Got arg string: --sign --armor
_make_filo(): Converted to reverse list: ['--armor', '--sign']
Got arg: --sign
Got arg: --armor
Got groups: {'--armor': '', '--sign': ''}
Appending option: --armor
Appending option: --sign
Got arg string: --clearsign
Got groups: {'--clearsign': ''}
Appending option: --clearsign
Got arg string: --digest-algo SHA512
_make_filo(): Converted to reverse list: ['SHA512', '--digest-algo']
Got arg: --digest-algo
Got value: SHA512
Got groups: {'--digest-algo': 'SHA512'}
_check_option(): No checks for SHA512
Appending option: --digest-algo SHA512
Sending command to GnuPG process:
['/usr/bin/gpg', '--no-options', '--no-emit-version', '--no-tty', '--status-fd', '2', '--homedir', 'TICKET-82-homedir', '--no-default-keyring', '--keyring', 'TICKET-82-homedir/pubring.gpg', '--secret-keyring', 'TICKET-82-homedir/secring.gpg', '--no-use-agent', '--armor', '--sign', '--clearsign', '--digest-algo', 'SHA512']
<Thread(Thread-18, initial daemon)>, <_io.BytesIO object at 0x7f276e631dd0>, <open file '<fdopen>', mode 'wb' at 0x7f276e5eddb0>
Sending chunk 8 bytes:
abc
def
stderr reader: <Thread(Thread-19, initial daemon)>
Closed outstream: 8 bytes sent.
stdout reader: <Thread(Thread-20, initial daemon)>
Reading data from stream "<open file '<fdopen>', mode 'rb' at 0x7f276e5edd20>"...
unsafe permissions on homedir `TICKET-82-homedir'
GOOD_PASSPHRASE
BEGIN_SIGNING
Read 858 bytes
SIG_CREATED C 1 10 01 1416360246 C11DB4C1C817C262C284133995B1017FCB1C1764
Finishing reading from stream "<open file '<fdopen>', mode 'rb' at 0x7f276e5edd20>"...
Read 858 bytes total
In [11]: print x1.data
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
def
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJUa/ELAAoJEJWxAX/LHBdkStkQAI790fdm6jCvXDgs0piNZxdK
fPYY9hRMUeTBo9RH6y3Em7hjpcbXtL0Fji5g9wYS6V21u9R1UFlyAe0mxOsddOXY
OBgHsYLZiEyDEBy8E273y9+TDAHhiIQSz91SEoTsJRjQS+2LsjN/v0WOQ9JQ5UEH
nivndeF1jM5MolhgJprzEJ3S0FXPz1RBORkxBIoAl59NMAidSEwFpwNKMeJFy2GX
2HSBXb0x5qb6zqSFEi+M02CCcxZuzVCt+7x7cE222YgvvC7WOLYOLRNKKQSq2eID
on29WnH347tEN3ZGV1ZKEIeED06iIAehundaHzzWwGyxmRAXFNEF4Va1Eoh4vKPW
7FHjd+Ca0Iv7SsC3gVnBZpFZtBLJHg6y2mCmvEZ4/vo62e8S3m0OY9Sib7yM1ewO
U2CwA3ViIx7m4WVT2lVScmJDzf0CMisQOJ4bmnbC67Bt84q+O0nxaEXog54qZKNt
wogq6Q+/9ufaU0gboSI3XSaH5u7WRR8CcZKJtIuhJRM2jWnpm/ubpxkzV36GJLZo
k3hvqL3uhFS5Iapu/+F48NrLqYOR/JhbbgF0LScPijCPMRcT2t4Vdb5BIWoBVftt
s9NRul2hiZ4J5HSue6vTKa3AsSlsE1xlsNEdXTGlZ/ivZKe1cH8JsCgcBH77jCME
TZInEh1QIBK41gz2gggV
=8j1H
-----END PGP SIGNATURE-----
In [12]: print x2.data
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
abc
def
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJUa/E2AAoJEJWxAX/LHBdk7EMP/0A9u3Bq0B/mVN0BJdFOdweH
+YaKn7XP/JQioUTXaJ9Op1G59fqTLWQ1gwcNsi9xgOMyvOwAMnj6Z+AzSBXe5ILx
pDxzVvd18H1fW9WDlWWFcknb8i8RNN6GtF8m4ZvR2FQwkVWzc7n4dD6qf+nUIzQ4
eNAZ+1lEs6TdorK6Ol+WccEn102DwgkTHGMH39RNQ4fD0bz03a1HJUtBW8hqBlPL
lDT/QBFklCNqv0pgRyr5daeXWZ3l+fqhptbwv5/yMq593haNkvBvYy0JTnYIrdID
G2kYbhP5kbGkUOsnvQJqaxVhH+QpKxt/qyaQR9oaOB8GiW7SpC67JMGMqcTfeMrT
jY2FbNzHJ/6iEksnxMAX6wizl859JbqkK2oJVSZDgOo7Jxh3Ykrl9gh7A5w3Vrwt
Jnw5MCy/Z46CWqAFbojRhRkk5B7M5TmiR6JSudrj0Da/DxvKCJ7rEfyfznKtL+5H
68MerLr53wLnPPCnn36fSdhUvqwfhielE55UNU4el6Uuaj2vtKH8cjxNSQ+K2eco
aOHTbohXWbk1wmsqEhUADV//0kuNYcexKYKbFH6EmzD5vbxkWB815Y8jMJe3TvBZ
19n5nopkSMypQLAZ0SAwAz00/aP7cmawX+8jypZ3BhoiHHuMGjcC6OH1vM/nhCYc
VZRu0scNBAhgdTWKuHXm
=Q9mk
-----END PGP SIGNATURE-----
In [13]: x1v = gpg.verify(x1.data)
verify_file(): Handling embedded signature
Got arg string: --verify
Got groups: {'--verify': ''}
Appending option: --verify
Sending command to GnuPG process:
['/usr/bin/gpg', '--no-options', '--no-emit-version', '--no-tty', '--status-fd', '2', '--homedir', 'TICKET-82-homedir', '--no-default-keyring', '--keyring', 'TICKET-82-homedir/pubring.gpg', '--secret-keyring', 'TICKET-82-homedir/secring.gpg', '--no-use-agent', '--verify']
<Thread(Thread-21, initial daemon)>, <_io.BytesIO object at 0x7f276e631dd0>, <open file '<fdopen>', mode 'wb' at 0x7f276e5eded0>
Sending chunk 854 bytes:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
def
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJUa/ELAAoJEJWxAX/LHBdkStkQAI790fdm6jCvXDgs0piNZxdK
fPYY9hRMUeTBo9RH6y3Em7hjpcbXtL0Fji5g9wYS6V21u9R1UFlyAe0mxOsddOXY
OBgHsYLZiEyDEBy8E273y9+TDAHhiIQSz91SEoTsJRjQS+2LsjN/v0WOQ9JQ5UEH
nivndeF1jM5MolhgJprzEJ3S0FXPz1RBORkxBIoAl59NMAidSEwFpwNKMeJFy2GX
2HSBXb0x5qb6zqSFEi+M02CCcxZuzVCt+7x7cE222YgvvC7WOLYOLRNKKQSq2eID
on29WnH347tEN3ZGV1ZKEIeED06iIAehundaHzzWwGyxmRAXFNEF4Va1Eoh4vKPW
7FHjd+Ca0Iv7SsC3gVnBZpFZtBLJHg6y2mCmvEZ4/vo62e8S3m0OY9Sib7yM1ewO
U2CwA3ViIx7m4WVT2lVScmJDzf0CMisQOJ4bmnbC67Bt84q+O0nxaEXog54qZKNt
wogq6Q+/9ufaU0gboSI3XSaH5u7WRR8CcZKJtIuhJRM2jWnpm/ubpxkzV36GJLZo
k3hvqL3uhFS5Iapu/+F48NrLqYOR/JhbbgF0LScPijCPMRcT2t4Vdb5BIWoBVftt
s9NRul2hiZ4J5HSue6vTKa3AsSlsE1xlsNEdXTGlZ/ivZKe1cH8JsCgcBH77jCME
TZInEh1QIBK41gz2gggV
=8j1H
-----END PGP SIGNATURE-----
stderr reader: <Thread(Thread-22, initial daemon)>
Closed outstream: 854 bytes sent.
stdout reader: <Thread(Thread-23, initial daemon)>
unsafe permissions on homedir `TICKET-82-homedir'
Reading data from stream "<open file '<fdopen>', mode 'rb' at 0x7f276e5eddb0>"...
SIG_ID YHyCwxYcBn3PmBv/lvyoFJLqPdI 2014-11-19 1416360203
GOODSIG 95B1017FCB1C1764 python-gnupg test key <[email protected]>
Finishing reading from stream "<open file '<fdopen>', mode 'rb' at 0x7f276e5eddb0>"...
Read 0 bytes total
VALIDSIG C11DB4C1C817C262C284133995B1017FCB1C1764 2014-11-19 1416360203 0 4 0 1 10 01 9758F0C8859AC9DE5234B45E3B2B001E8BFF84B3
TRUST_ULTIMATE
In [14]: x1v.valid
Out[14]: True
In [15]: x2v = gpg.verify(x2.data)
verify_file(): Handling embedded signature
Got arg string: --verify
Got groups: {'--verify': ''}
Appending option: --verify
Sending command to GnuPG process:
['/usr/bin/gpg', '--no-options', '--no-emit-version', '--no-tty', '--status-fd', '2', '--homedir', 'TICKET-82-homedir', '--no-default-keyring', '--keyring', 'TICKET-82-homedir/pubring.gpg', '--secret-keyring', 'TICKET-82-homedir/secring.gpg', '--no-use-agent', '--verify']
<Thread(Thread-24, initial daemon)>, <_io.BytesIO object at 0x7f276e631dd0>, <open file '<fdopen>', mode 'wb' at 0x7f276e5edd20>
Sending chunk 858 bytes:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
abc
def
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJUa/E2AAoJEJWxAX/LHBdk7EMP/0A9u3Bq0B/mVN0BJdFOdweH
+YaKn7XP/JQioUTXaJ9Op1G59fqTLWQ1gwcNsi9xgOMyvOwAMnj6Z+AzSBXe5ILx
pDxzVvd18H1fW9WDlWWFcknb8i8RNN6GtF8m4ZvR2FQwkVWzc7n4dD6qf+nUIzQ4
eNAZ+1lEs6TdorK6Ol+WccEn102DwgkTHGMH39RNQ4fD0bz03a1HJUtBW8hqBlPL
lDT/QBFklCNqv0pgRyr5daeXWZ3l+fqhptbwv5/yMq593haNkvBvYy0JTnYIrdID
G2kYbhP5kbGkUOsnvQJqaxVhH+QpKxt/qyaQR9oaOB8GiW7SpC67JMGMqcTfeMrT
jY2FbNzHJ/6iEksnxMAX6wizl859JbqkK2oJVSZDgOo7Jxh3Ykrl9gh7A5w3Vrwt
Jnw5MCy/Z46CWqAFbojRhRkk5B7M5TmiR6JSudrj0Da/DxvKCJ7rEfyfznKtL+5H
68MerLr53wLnPPCnn36fSdhUvqwfhielE55UNU4el6Uuaj2vtKH8cjxNSQ+K2eco
aOHTbohXWbk1wmsqEhUADV//0kuNYcexKYKbFH6EmzD5vbxkWB815Y8jMJe3TvBZ
19n5nopkSMypQLAZ0SAwAz00/aP7cmawX+8jypZ3BhoiHHuMGjcC6OH1vM/nhCYc
VZRu0scNBAhgdTWKuHXm
=Q9mk
-----END PGP SIGNATURE-----
stderr reader: <Thread(Thread-25, initial daemon)>
stdout reader: <Thread(Thread-26, initial daemon)>
Closed outstream: 858 bytes sent.
unsafe permissions on homedir `TICKET-82-homedir'
Reading data from stream "<open file '<fdopen>', mode 'rb' at 0x7f276e5eded0>"...
SIG_ID BC2g8SahrciVTHFab89ZSiT0yJs 2014-11-19 1416360246
GOODSIG 95B1017FCB1C1764 python-gnupg test key <[email protected]>
Finishing reading from stream "<open file '<fdopen>', mode 'rb' at 0x7f276e5eded0>"...
VALIDSIG C11DB4C1C817C262C284133995B1017FCB1C1764 2014-11-19 1416360246 0 4 0 1 10 01 9758F0C8859AC9DE5234B45E3B2B001E8BFF84B3
Read 0 bytes total
TRUST_ULTIMATE
In [16]: x2v.valid
Out[16]: True
The options which python-gnupg passes in each case are slightly different:
Case 1 with passphrase=''
produces the following debug logs:
Sending command to GnuPG process:
['/usr/bin/gpg', '--no-options', '--no-emit-version', '--no-tty', '--status-fd', '2', '--homedir', 'TICKET-82-homedir', '--no-default-keyring', '--keyring', 'TICKET-82-homedir/pubring.gpg', '--secret-keyring', 'TICKET-82-homedir/secring.gpg', '--batch', '--passphrase-fd', '0', '--no-use-agent', '--armor', '--sign', '--clearsign', '--digest-algo', 'SHA512']
<Thread(Thread-15, initial daemon)>, <_io.BytesIO object at 0x7f276e631dd0>, <open file '<fdopen>', mode 'wb' at 0x7f276e5edd20>
Sending chunk 8 bytes:
abc
def
stderr reader: <Thread(Thread-16, initial daemon)>
Closed outstream: 8 bytes sent.
Case 2 with passphrase=None
produces:
Sending command to GnuPG process:
['/usr/bin/gpg', '--no-options', '--no-emit-version', '--no-tty', '--status-fd', '2', '--homedir', 'TICKET-82-homedir', '--no-default-keyring', '--keyring', 'TICKET-82-homedir/pubring.gpg', '--secret-keyring', 'TICKET-82-homedir/secring.gpg', '--no-use-agent', '--armor', '--sign', '--clearsign', '--digest-algo', 'SHA512']
<Thread(Thread-18, initial daemon)>, <_io.BytesIO object at 0x7f276e631dd0>, <open file '<fdopen>', mode 'wb' at 0x7f276e5eddb0>
Sending chunk 8 bytes:
abc
def
stderr reader: <Thread(Thread-19, initial daemon)>
Closed outstream: 8 bytes sent.
The only difference between the two being that the former has --batch --passphrase-fd 0
as additional options. Although I could be mistaken, it is my understanding that this probably shouldn't cause GnuPG to cut off the message being signed, which is what leads me to believe that this isn't intended behaviour and that this is therefore an upstream bug in GnuPG.
from python-gnupg.
Nice investigation :) My workaround is some thing like: sign(..., passphrase=pass or None)
, not sure what the upstream solution should be.
from python-gnupg.
@majek Hmm… I looked into it a little more:
So, first, in the gnupg._meta.GPGBase._sign_file()
method, it feeds the passphrase into _open_subprocess()
if passphrase is not None
. That gets fed into _make_args()
, which in turn should ignore it in this line because bool('')==False
. What I don't understand is how the extra args '--batch --passphrase-fd 0'
ended up in the command passed to GnuPG above, since bool('')==False
.
Either way, the passphrase is not None
part should probably be changed, since GnuPG shouldn't be accepting the passphrase False
or True
or anything like that. Your way of doing passphrase or None
would still allow passphrase=True
(other than that it's better).
Another way might be to add a line right beforehand: passphrase = passphrase if isinstance(passphrase, str) else None
to weed out the bool
s, then do passphase or None
as you suggested to remove empty strings.
from python-gnupg.
Fixed in my fix/82-passphrase-empty-str
branch and merged.
from python-gnupg.
Related Issues (20)
- Silence log message generated upon import
- Version parsing from gpg on windows fails, given a '\r' line end output instead of '\n' from gpg.exe
- Fail to install on Fedora 30 - no folder /usr/lib/rpm/redhat/ HOT 3
- decrypt function, passphrase arg doesn't work HOT 1
- daemon with restart crash because of _check_sane_and_get_gpg_version
- Deprecation warning due to invalid escape sequences in Python 3.7
- python-gnupg on 3.7 HOT 1
- Question: Understanding recipients parameters for encrypting files HOT 1
- keytocard function?
- TypeError: _encrypt() got multiple values for argument 'recipients' HOT 1
- gnupg path in Glue
- encrypt_file not work on Linux and Unix
- international characters filename - not encrypting
- Unable to import private key with passpharse HOT 4
- encrypt() with recipient's email address (instead of key fingerprint)? HOT 3
- Sign function incorrectly strips one trailing CRLF
- How to read in a private key and return its public key?
- How to export minimal key?
- self.status is None:
- self.status = '\n'.join([self.status, "key considered"]) - TypeError: sequence item 0: expected str instance, NoneType found
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from python-gnupg.