Skip to content

lutostag/gpgrv

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

104 Commits
examples
examples
 
 
src
src
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
.travis.yml
.travis.yml
 
 
CHANGELOG.md
CHANGELOG.md
 
 
Cargo.toml
Cargo.toml
 
 
LICENSE.MIT
LICENSE.MIT
 
 
README.md
README.md
 
 
gpgrv.jpg
gpgrv.jpg
 
 

Repository files navigation

gpgrv

An RV.

gpgrv is a Rust library for verifying some types of GPG signatures.

use std::io::{stdin, stdout, BufReader, Cursor, Seek, SeekFrom};
fn main() {
    // load a keyring from some file(s)
    // for example, we use the linux distribution keyring
    let mut keyring = gpgrv::Keyring::new();
    let keyring_file = Cursor::new(distro_keyring::supported_keys());
    keyring.append_keys_from(keyring_file).unwrap();

    // read stdin, verify, and write the output to a temporary file
    let mut temp = tempfile::tempfile().unwrap();
    gpgrv::verify_message(BufReader::new(stdin()), &mut temp, &keyring).expect("verification");

    // if we succeeded, print the temporary file to stdout
    temp.seek(SeekFrom::Start(0)).unwrap();
    std::io::copy(&mut temp, &mut stdout()).unwrap();
}

Supports

  • Verifying signatures:
    • RSA
    • SHA1 and SHA2 (SHA-256, SHA-512).
  • Signed "inline" messages, and detached signatures.
  • Armoured and unarmoured/binary.
  • Compression wrappers (added by gpg for most messages)
  • Loading old-style keyrings (i.e. not keybox files)

Advantages

  • Entirely safe Rust, no native code. Easy to build and portable.
  • MIT (or Apache2, or whatever!) licensed, not LGPL.
  • Simple, Rust-style API on streams (Read/Write).

Disadvantages

  • A tiny amount of custom, low-risk crypto code. However, any crypto code can be wrong.
  • Limited, but growing, support for key and data formats.
  • (Intentionally) not constant time: Cannot be used for certain crypto applications. This is less important for signature verification with public keys.

Alternatives

  • gpgme (LGPL) - bindings for native code, verbose API
  • rpgp (MIT/Apache2) - serious implementation of plenty of pgp
  • sequoia-openpgp (GPLv3) - serious implementation of plenty of pgp

I was using the the gpgme API, which works, but the API is painful, and the linking/requirements are complicated.

sequoia's license is wrong.

rpgp has too many features, although it does seem to be nicely split into crates.

Minimum Supported Rust Version (MSRV)

1.34.2 (Debian Stable 2019) is pinned in Travis. Much older currently works fine, but I don't plan to do extra work to make it happen. MSRV bumps are some kind of semver bump, to be decided for 1.0.0.

License

Licensed under either of

  • Apache License, Version 2.0
  • MIT license

at your option.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.

About

MIT gpg(v) library for Rust

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Rust 98.7%
  • Shell 1.3%