# PGPy

PGPy is a Python (2 and 3) implementation of the OpenPGP specification, as described in RFC 4880.

documentation: [here](https://pythonhosted.org/PGPy/index.html)
source code: [here](https://github.com/SecurityInnovation/PGPy)

The main alternatives to PGPy are [python-gnupg](https://pythonhosted.org/python-gnupg/) and the fork [isislovecruft/python-gnupg](https://github.com/isislovecruft/python-gnupg). While the latter addresses some security concerns, neither are actively maintained. Furthermore, these libraries interact with an external `gpg` process, which is quite frail when deploying to multiple platforms.

In [1]:
# these are some TEST keys.
# there cannot be any leading whitespace, so note the `.strip()` at the end.
KEY_PUB = '''
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1

mI0EV1y9XAEEAMn1ZI3rFLbGwGbO9WOSnfqlsDgokyRN3ifSJ4yrtteLKiqyXUl2
fGIJzsW6FhAisnpr46pE2m0C7mpc7PAluB/aPzE95RLcQuNLvMzAx4Jj5rs3f3Zn
C4DuPkEVNM1NYow+ef9swH1UdsZxrqALHS8ojGaTECUEJ2R2+CUfWLpTABEBAAG0
C3dpbGxpIDx3QGI+iLgEEwECACIFAldcvVwCGwMGCwkIBwMCBhUIAgkKCwQWAgMB
Ah4BAheAAAoJEEnsK2RHSBGcOjoD/RD0bOdls0RXOvgCg5VVFFVTMS6rRBq3M8wL
HCwQKnA0qtNnE1cSIhS7Xp11fJw9+0bLfq/aknkwZWGT04Hov+sar3Yqk9jVJMm/
rBkwER90rZz/pdaSX8vlBjzWeVidptiE4PyPKIpAszhgG1nIdOH13DFgdTB01v/8
qI+YHWvZuI0EV1y9XAEEAOx02seUsv3iGqUBfUGWOSKNSk6IEJnL4APIBkzusWnY
PLrtLbI/ZK9BY20TbxZbdctIOw7b+l3Px4y0Y+4NFCt8tE7iHyyUzmw1btzNIbgp
TLssu85xYQL4CX1yBnAsK5lRjJNryp3W6a/hz1v/bUQzwPTEESZMm7/MkARRLuMN
ABEBAAGInwQYAQIACQUCV1y9XAIbDAAKCRBJ7CtkR0gRnKlXA/0ZVaZHEUPuTNL6
G550HC5atTO4UoZFi0UtzLVVXDlacGiEhNZb81cXWP5M3K/GN3aeqjZpAFej30ko
F+N5JUwtcl7VfrIfRw+pZPNcOBoMdlKzpYrMYlKELTNrQzMt0Fqfvfs9C6ReDgep
VY1s5iZMWApgf6zBkQXPb8n0FYxinQ==
=WTDR
-----END PGP PUBLIC KEY BLOCK-----
'''.lstrip()


KEY_PRIV = '''-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: GnuPG v1

lQHYBFdcvVwBBADJ9WSN6xS2xsBmzvVjkp36pbA4KJMkTd4n0ieMq7bXiyoqsl1J
dnxiCc7FuhYQIrJ6a+OqRNptAu5qXOzwJbgf2j8xPeUS3ELjS7zMwMeCY+a7N392
ZwuA7j5BFTTNTWKMPnn/bMB9VHbGca6gCx0vKIxmkxAlBCdkdvglH1i6UwARAQAB
AAP/Sc5G0cCUINnQraG7twh5eIS9ukBFydI1OmtIbdXBK9NddR4bDoJhIXkBGmyP
rJTpkejE2lBwXL9h/vf31SmLuF28NtKtzGlSlELYAcXKEvxBm3vTZWDeN39vJDpL
HUCZ9PRQSkmZk6us16Olv0bibMA7p1UECqFZ+ifBt9rCs1UCANTI2mRi7daZk87/
ldNURFLKXmaX4YW9gAK61rwFvRNJQZM8fCiXOLct8vKrfO61rNSoGgG25N90n+Ph
ptJFrg8CAPL5q7w1lfPREPbnI8lGnpZ08rL/tuj+hLcssNoQjqwPQn05Bxt7PgGO
HiKx75GOSUqCFG8mxYSrzdmQs5m+c30CAKEOJr3nxXTOSUZDsqakMhZ0/JSfn8vb
3gMP1/Ffb55NiGehP52MgogoTH/0QdZ93ViYy5nLW6HWuaPDr9wGYFythrQLd2ls
bGkgPHdAYj6IuAQTAQIAIgUCV1y9XAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgEC
F4AACgkQSewrZEdIEZw6OgP9EPRs52WzRFc6+AKDlVUUVVMxLqtEGrczzAscLBAq
cDSq02cTVxIiFLtenXV8nD37Rst+r9qSeTBlYZPTgei/6xqvdiqT2NUkyb+sGTAR
H3StnP+l1pJfy+UGPNZ5WJ2m2ITg/I8oikCzOGAbWch04fXcMWB1MHTW//yoj5gd
a9mdAdgEV1y9XAEEAOx02seUsv3iGqUBfUGWOSKNSk6IEJnL4APIBkzusWnYPLrt
LbI/ZK9BY20TbxZbdctIOw7b+l3Px4y0Y+4NFCt8tE7iHyyUzmw1btzNIbgpTLss
u85xYQL4CX1yBnAsK5lRjJNryp3W6a/hz1v/bUQzwPTEESZMm7/MkARRLuMNABEB
AAEAA/9lWZ7uvcdMt+3YvP8trhCWRT5M09hdu3us0z8UGZlUt1kse/3CsZZb4iiW
N6a9S/184NxjfZlePXGYVzef8N4sBIwzN5N6F11wa0xxGx2+e8nHpuMPnBYVIGre
yAZBVB41CglR8rof7SYUysi5puTuBv/yVSdzBM3cSuWPZ94GxwIA7RkjTSrLLdzz
lxHrdyI//8JcIfxB6RO3jXLB2wfI3ge15OOo44G5V2bdcSVxOdk3gDSj/TtqCgyF
u+0aJgYSjwIA/06erCfS+F/nn0oR2h3EFxxeVYyRkPU5rVgws9ocMeNo3X5/ehAH
MeM3C03opIl0vGy/jJatnfROplpJin7OowIAmCQhVN06ZEFJSUHjmXmmjsf8JEs3
nNrVYESGdlECRcUIu9Vv00rbZ3NjymbJjyxKhd7pIrfmIzKnSxZNKnYGy58FiJ8E
GAECAAkFAldcvVwCGwwACgkQSewrZEdIEZypVwP9GVWmRxFD7kzS+huedBwuWrUz
uFKGRYtFLcy1VVw5WnBohITWW/NXF1j+TNyvxjd2nqo2aQBXo99JKBfjeSVMLXJe
1X6yH0cPqWTzXDgaDHZSs6WKzGJShC0za0MzLdBan737PQukXg4HqVWNbOYmTFgK
YH+swZEFz2/J9BWMYp0=
=iHir
-----END PGP PRIVATE KEY BLOCK-----
'''.lstrip()


# via: http://r6.ca/privatekeys.html
KEY_PRIV2 = '''
-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: GnuPG v1.2.3 (OS/2)

lQHWBD3X7JABBADfDcT9WgUZsAXC2jaLXbVRbkI/vmZWqFT1bBTicnHEOf0EZRKl
o2eIJWf0UIMvBC840efecOGKEmtubHyyas5aSDThQZM8PyCKRrJhGX02UHwCvNRi
XzAD1wteFyGtkVYmlHTR84fjyk9V1BlsZLNTZdTbKQ//Yuxww1qPTrlqNwAGKQAD
/2ddy62aG1bUsX/CyBse8B9+BbmjKS5m+6ntZ1Y1CQOFBNySvbbn0lHS5T9Eh7gh
KJ10AU4bVclZtOg+wyb5TORKNJ6ywjvj+DDMFekoWlfMwhw+utZVEpbJkK7vJNQg
jGBX0+L2uEbv/Z5wFpucoLxNX5fg+nDUxzP+d3VXAlLJAgDrZOc2usLMfMXNh+p0
5xfSAa8QmpumEM/1ARyV12BLhf0/nuVIZPkK9mfTdO5xk/OC35FhJLqQzHSoyNeW
wPRvAgDylFK+/3F5O1ssj2SQ4KRmULhoOs/Lpj9XgTPOFcbkoT58XYmkNvNbKCxS
It1QS0LQNHtOOqIvZKbagnckopq5Af9IGvyE53vEmp6lfop0yZFmO8NQPbcv+B5k
rUAValTyeDTyH7Qc2pdm/SGok47vSc+5Uyyx6/X6hUHF1sfSIoVVrC60hFJ1c3Nl
bGwgU3RldmVuIFNoYXduIE8nQ29ubm9yIChMT1cgU0VDVVJJVFkgLSBzZWUgPGh0
dHA6Ly9tYXRoLmJlcmtlbGV5LmVkdS9+cm9jb25ub3IvcHVibGlja2V5cy5odG1s
PikgPHJvY29ubm9yQG1hdGguYmVya2VsZXkuZWR1Poi4BBMBAgAiBQI91+yQAhsD
BQkB4TOABAsHAwIDFQIDAxYCAQIeAQIXgAAKCRBNPmjuaEZDWZ9vBADQCY9J5ZnV
VYfQBf5F3d6yhNxzXJaFIHEemsBA37dgwCJc3+49KBBJFB91PFlVwgz9PCgux8YJ
yUDsDh56pzXycCxcBav0O/MBapN1rq5/X22vtKrKxSfKjMLfQlto7VWv9vNwzlZA
ClJPYBDOZt5DxA3RECsuNxEvb28bfT5epQ==
=VufU
-----END PGP PRIVATE KEY BLOCK-----
'''.strip()

SOME_TEXT = 'hello world!'

In [2]:
import pgpy
import hexdump

# importing keys

In [3]:
# import ASCII formatted private key
priv_key = pgpy.PGPKey()
priv_key.parse(KEY_PRIV)
pass

In [4]:
# import ASCII formatted public key
pub_key = pgpy.PGPKey()
pub_key.parse(KEY_PUB)
pass

In [5]:
pub_key.fingerprint == priv_key.fingerprint

True

In [6]:
priv_key.fingerprint

'2E0B 2FA1 A40E 19E5 343F  4AF4 49EC 2B64 4748 119C'

# messages

a message contains some content that can be encrypted and/or signed.

In [7]:
msg = pgpy.PGPMessage.new(SOME_TEXT)

In [36]:
msg.message == SOME_TEXT

True

In [8]:
# binary message format
hexdump.hexdump(bytes(msg))

00000000: C8 17 01 3B 2D 54 CA 10  C1 29 E0 9E 91 9A 93 93  ...;-T...)......
00000010: AF 50 9E 5F 94 93 A2 08  00                       .P._.....


In [9]:
# roundtrip binary encode/decode works
bytes(msg) == bytes(pgpy.PGPMessage.from_blob(bytes(msg)))

True

In [10]:
# ascii message format
print(str(msg))

-----BEGIN PGP MESSAGE-----
Version: PGPy v0.4.0

yBcBOy1UyhDBKeCekZqTk69Qnl+Uk6IIAA==
=X/V4
-----END PGP MESSAGE-----



In [11]:
# roundtrip ASCII encode/decode works
str(msg) == str(pgpy.PGPMessage.from_blob(str(msg)))

True

# signing

In [12]:
msg |= priv_key.sign(msg)

# you must use the | operaator to attach the signature.
# the following does NOT work:
#
#    signed_msg = priv_key.sign(msg)

print(str(msg))

-----BEGIN PGP MESSAGE-----
Version: PGPy v0.4.0

yMADATvCy8zAwej5RjvF3UNwDsNpoVKGCE4B94zUnJx8hfL8opwUxUNzWBgYORjY
WJlAMgxcnAIw5VEazP+srMMbQhuWnb41y2fv76iL29e7mtTGcnKmVGRsMt47tSu5
hvlNjfmKz0+1Dpz+5F9Y/VF9YuTLdN2KjBVltxz+aropq31025J6ij18xbYvOabT
TqRdnv1O6n/wu9nqyhPNk4yKUp/u3JJ8aaGLmJ+L2OVbKrtP3C+/vNrTyqqSU/L6
2zuq0lMB
=Avjs
-----END PGP MESSAGE-----



don't expect to be able to sign with the public key!

In [13]:
pub_key.sign(msg)

PGPError: Expected: is_public == False. Got: True

two ways to access the fingerprint(s) that signed the message:

In [14]:
msg.signatures

[<PGPSignature [BinaryDocument] object at 0x87e6b2eb70>]

In [15]:
sig = msg.signatures[0]

In [16]:
sig.signer

'49EC2B644748119C'

In [17]:
msg.signers

{'49EC2B644748119C'}

# verifying

In [18]:
pub_key.verify(msg)

<SignatureVerification(True)>

so, what does a verification failure look like?

In [19]:
priv_key2 = pgpy.PGPKey()
priv_key2.parse(KEY_PRIV2)
pass

In [20]:
msg2 = pgpy.PGPMessage.new(SOME_TEXT)

In [21]:
msg2 |= priv_key2.sign(msg2)

In [22]:
# as expected, we can verify with the private key
priv_key2.verify(msg2)

<SignatureVerification(True)>

In [23]:
# but pgpy raises an error if the verify fails
# (here, we used the wrong key to verify)
priv_key.verify(msg2)

PGPError: No signatures to verify

# keyring

a keyring is a collection of keys. it does *not* expose a bulk `.verify()` method, but will let you look up keys by keyid.

In [24]:
keyring = pgpy.PGPKeyring()

In [25]:
keyring.fingerprints()

set()

In [26]:
# load ASCII formatted keys, no problem
keyring.load(KEY_PUB)
keyring.load(KEY_PRIV)
keyring.load(KEY_PRIV2)
pass

In [27]:
keyring.fingerprints()

{'1955 DE89 31BC C733 74BB  5892 4D3E 68EE 6846 4359',
 '2E0B 2FA1 A40E 19E5 343F  4AF4 49EC 2B64 4748 119C',
 '6361 9590 A867 BBFB 1EF3  ED11 C586 C149 7F9A 5807'}

In [28]:
pub_key.fingerprint in keyring.fingerprints()

True

In [29]:
with keyring.key('2E0B 2FA1 A40E 19E5 343F  4AF4 49EC 2B64 4748 119C') as key:
    print(key.fingerprint)

2E0B 2FA1 A40E 19E5 343F  4AF4 49EC 2B64 4748 119C


In [30]:
# we can use the 64-bit key id, too
with keyring.key('49EC2B644748119C') as key:
    print(key.fingerprint)

2E0B 2FA1 A40E 19E5 343F  4AF4 49EC 2B64 4748 119C


In [31]:
# unfortunately, this doesn't work because of differing keyid lengths (64bit vs full-lenth)
msg.signers.intersection(keyring.fingerprints())

set()

In [33]:
# instead we have to iterate keyids and try to fetch them from the keystore
for keyid in msg.signers:
    if keyring.key(keyid):
        print(keyid)

49EC2B644748119C


In [35]:
msg.message

'hello world!'