Giter VIP home page Giter VIP logo

gpgrv's Introduction

gpgrv

An RV.

gpgrv is a Rust library for verifying some types of GPG signatures.

use std::io::{stdin, stdout, BufReader, Cursor, Seek, SeekFrom};
fn main() {
    // load a keyring from some file(s)
    // for example, we use the linux distribution keyring
    let mut keyring = gpgrv::Keyring::new();
    let keyring_file = Cursor::new(distro_keyring::supported_keys());
    keyring.append_keys_from(keyring_file).unwrap();

    // read stdin, verify, and write the output to a temporary file
    let mut temp = tempfile::tempfile().unwrap();
    gpgrv::verify_message(BufReader::new(stdin()), &mut temp, &keyring).expect("verification");

    // if we succeeded, print the temporary file to stdout
    temp.seek(SeekFrom::Start(0)).unwrap();
    std::io::copy(&mut temp, &mut stdout()).unwrap();
}

Supports

  • Verifying signatures:
    • RSA
    • SHA1 and SHA2 (SHA-256, SHA-512).
  • Signed "inline" messages, and detached signatures.
  • Armoured and unarmoured/binary.
  • Compression wrappers (added by gpg for most messages)
  • Loading old-style keyrings (i.e. not keybox files)

Advantages

  • Entirely safe Rust, no native code. Easy to build and portable.
  • MIT (or Apache2, or whatever!) licensed, not LGPL.
  • Simple, Rust-style API on streams (Read/Write).

Disadvantages

  • A tiny amount of custom, low-risk crypto code. However, any crypto code can be wrong.
  • Limited, but growing, support for key and data formats.
  • (Intentionally) not constant time: Cannot be used for certain crypto applications. This is less important for signature verification with public keys.

Alternatives

  • gpgme (LGPL) - bindings for native code, verbose API
  • rpgp (MIT/Apache2) - serious implementation of plenty of pgp
  • sequoia-openpgp (GPLv3) - serious implementation of plenty of pgp

I was using the the gpgme API, which works, but the API is painful, and the linking/requirements are complicated.

sequoia's license is wrong.

rpgp has too many features, although it does seem to be nicely split into crates.

License

Licensed under either of

  • Apache License, Version 2.0
  • MIT license

at your option.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.

gpgrv's People

Contributors

fauxfaux avatar

Watchers

Philippe Ombredanne avatar avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.