def export_keys(
self,
keyids,
secret=False,
armor=True,
minimal=False,
passphrase=None,
expect_passphrase=True,
):
"""
Export the indicated keys. A 'keyid' is anything gpg accepts.
Since GnuPG 2.1, you can't export secret keys without providing a
passphrase. However, if you're expecting the passphrase to go to gpg
via pinentry, you should specify expect_passphrase=False. (It's only
checked for GnuPG >= 2.1).
"""
which = ""
if secret:
which = "-secret-key"
if (
self.version >= (2, 1)
and passphrase is None
and expect_passphrase
):
raise ValueError(
"For GnuPG >= 2.1, exporting secret keys "
"needs a passphrase to be provided"
)
if gnupg._is_sequence(keyids):
keyids = [gnupg.no_quote(k) for k in keyids]
else:
keyids = [gnupg.no_quote(keyids)]
args = ["--export%s" % which]
if armor:
args.append("--armor")
if minimal:
args.extend(["--export-options", "export-minimal"])
args.extend(keyids)
result = self.result_map["export"](self)
if not secret or self.version < (2, 1):
p = self._open_subprocess(args)
self._collect_output(p, result, stdin=p.stdin)
else:
f = gnupg._make_binary_stream("", self.encoding)
try:
self._handle_io(
args, f, result, passphrase=passphrase, binary=True
)
finally:
f.close()
gnupg.logger.debug("export_keys result: %r", result.data)
if armor:
result.data = result.data.decode(self.encoding, self.decode_errors)
return result
def delete_keys(
self,
fingerprints,
secret=False,
passphrase=None,
expect_passphrase=True,
):
"""
Delete the indicated keys.
Since GnuPG 2.1, you can't delete secret keys without providing a
passphrase. However, if you're expecting the passphrase to go to gpg
via pinentry, you should specify expect_passphrase=False. (It's only
checked for GnuPG >= 2.1).
"""
which = "key"
if secret: # pragma: no cover
if (
self.version >= (2, 1)
and passphrase is None
and expect_passphrase
):
raise ValueError(
"For GnuPG >= 2.1, deleting secret keys "
"needs a passphrase to be provided"
)
which = "secret-key"
if gnupg._is_sequence(fingerprints): # pragma: no cover
fingerprints = [gnupg.no_quote(s) for s in fingerprints]
else:
fingerprints = [gnupg.no_quote(fingerprints)]
args = []
if secret and passphrase and expect_passphrase:
args = ["--yes"]
args.append("--delete-%s" % which)
args.extend(fingerprints)
result = self.result_map["delete"](self)
if not secret or self.version < (2, 1):
p = self._open_subprocess(args)
self._collect_output(p, result, stdin=p.stdin)
else:
# Need to send in a passphrase.
f = gnupg._make_binary_stream("", self.encoding)
try:
self._handle_io(
args, f, result, passphrase=passphrase, binary=True
)
finally:
f.close()
return result
def verify_detached(self,
sig: bytes,
data: bytes,
keep_stderr=None,
extra_args=None):
"""Verify binary `sig` on the `data`."""
import gnupg
import tempfile
assert isinstance(data, bytes), data
assert isinstance(sig, bytes), sig
with tempfile.TemporaryDirectory() as tdir:
sig_fn = osp.join(tdir, 'sig')
with io.open(sig_fn, 'wb+') as sig_fp:
sig_fp.write(sig)
GPG = self.GPG
args = ['--verify', gnupg.no_quote(sig_fn), '-']
if extra_args:
args.extend(extra_args)
result = GPG.result_map['verify'](GPG)
data_stream = io.BytesIO(data)
GPG._handle_io(args, data_stream, result, binary=True)
return self._proc_verfication(result, keep_stderr)
def openEncryptStreamSymmetric(self, instream, passphrase, algorithm=None, sign=None, compress=True):
args = ['--symmetric']
if algorithm:
# only works with symetric
args.extend(['--cipher-algo', gnupg.no_quote(algorithm)])
# else use the default, currently CAST5
return self.__openEncryptStream(instream, args,
sign=sign, passphrase=passphrase, compress=compress)
def openEncryptStream(self, instream, recipients, sign=None, passphrase=None, compress=True):
args = ['--encrypt']
if not recipients:
raise ValueError('No recipients specified')
if not gnupg._is_sequence(recipients):
recipients = (recipients,)
for recipient in recipients:
args.extend(['--recipient', gnupg.no_quote(recipient)])
return self.__openEncryptStream(instream, args,
sign=sign, passphrase=passphrase, compress=compress)
def verify_detached(self, sig: bytes, msg: bytes):
with tempfile.NamedTemporaryFile('wb+', prefix='co2dice_') as sig_fp:
with tempfile.NamedTemporaryFile('wb+',
prefix='co2dice_') as msg_fp:
sig_fp.write(sig)
sig_fp.flush()
sig_fp.seek(0) ## paranoid seek(), Windows at least)
msg_fp.write(msg)
msg_fp.flush()
msg_fp.seek(0)
sig_fn = gnupg.no_quote(sig_fp.name)
msg_fn = gnupg.no_quote(msg_fp.name)
args = ['--verify', sig_fn, msg_fn]
result = self.result_map['verify'](self)
p = self._open_subprocess(args)
self._collect_output(p, result, stdin=p.stdin)
return result
def __openEncryptStream(self, instream, args, sign, passphrase, compress):
if self.__streamOpen:
return self
if sign is True: # pragma: no cover
args.append('--sign')
elif sign: # pragma: no cover
args.extend(['--sign', '--default-key', gnupg.no_quote(sign)])
args.append('--always-trust')
if not compress:
args.extend(['--compress-algo', 'none'])
self.__createStreamsAndProcess(instream, args, passphrase)
return self
def verify_detached_armor(self, sig: str, data: str):
#def verify_file(self, file, data_filename=None):
"""Verify `sig` on the `data`."""
logger = gnupg.logger
#with tempfile.NamedTemporaryFile(mode='wt+',
# encoding='latin-1') as sig_fp:
#sig_fp.write(sig)
#sig_fp.flush(); sig_fp.seek(0) ## paranoid seek(), Windows at least)
#sig_fn = sig_fp.name
sig_fn = osp.join(tempfile.gettempdir(), 'sig.sig')
logger.debug('Wrote sig to temp file: %r', sig_fn)
args = ['--verify', gnupg.no_quote(sig_fn), '-']
result = self.result_map['verify'](self)
data_stream = io.BytesIO(data.encode(self.encoding))
self._handle_io(args, data_stream, result, binary=True)
return result