~sircmpwn/sr.ht#106: Evaluate switch from pgpy to pygpgme

Status
REPORTED
Submitter
~sircmpwn
Assigned to
No-one
Submitted
9 months ago
Updated
3 months ago
Labels
No labels applied.

~anarcat 7 months ago

any reason why the switch? i worked with pgpy and found it quite promising even though development seems to have stalled recently... i dislike pygpgme because it ties back into gpg, which i consider legacy at this point - it brings just too much cruft with it and weird ways of operating...

~sircmpwn 7 months ago

pgpy is missing a lot of features supported by gpg, and users have reported problems with PGP keys that won't import into meta.sr.ht, or can't be used to encrypt their emails, etc.

~anarcat 7 months ago

right - you certainly will have trouble with ECC keys for example. i guess if you need wider compatibility, you'll certainly have to switch, in the short term, which is too bad becaues you enter a world of API pain. :/

i'm sorry I wish i had better news.

~kiba 3 months ago

I ran into meta.sr.ht not accepting my PGP key, which uses ECC (ed25519 + cv25519). The interface will simply say:

This is not a valid PGP key

I wanted to suggest potentially using Go, which has pretty solid crypto libraries in the standard library, if you ever plan to rewrite meta.srt.ht. However, after doing a bit of digging it looks like ed25519 is not supported when I look at the PublicKeyAlgorithm type. Other ECC keys are supported though.

It looks like gpg is using algo 22 for ed25519 (I see this by running gpg --list-packets mypubkey.asc), which isn't listed in iana here: https://www.iana.org/assignments/pgp-parameters/pgp-parameters.xhtml#pgp-parameters-12

I didn't quite realize I may be out of luck as far as support when I created my key... The idea of running gpg as a separate process for this piece seems really clunky though. I wonder what the effort would be to update the Python and/or Go library with support for ECC + ed25519 keys.

~sircmpwn 3 months ago

I didn't quite realize I may be out of luck as far as support when I created my key... The idea of running gpg as a separate process for this piece seems really clunky though. I wonder what the effort would be to update the Python and/or Go library with support for ECC + ed25519 keys.

The problem is that GPG will keep receiving updates... and any other implementation will keep falling behind. GPG isn't a standard interface.