keyserver/curl-shim.h


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99

/* curl-shim.h
 * Copyright (C) 2005, 2006 Free Software Foundation, Inc.
 *
 * This file is part of GNUPG.
 *
 * GNUPG is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * GNUPG is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
 * USA.
 */

#ifndef _CURL_SHIM_H_
#define _CURL_SHIM_H_

#include "http.h"

typedef enum
  {
    CURLE_OK=0,
    CURLE_UNSUPPORTED_PROTOCOL=1,
    CURLE_COULDNT_CONNECT=7,
    CURLE_FTP_COULDNT_RETR_FILE=19,
    CURLE_HTTP_RETURNED_ERROR=22,
    CURLE_WRITE_ERROR=23
  } CURLcode;

typedef enum
  {
    CURLOPT_URL,
    CURLOPT_USERPWD,
    CURLOPT_WRITEFUNCTION,
    CURLOPT_FILE,
    CURLOPT_ERRORBUFFER,
    CURLOPT_FOLLOWLOCATION,
    CURLOPT_MAXREDIRS,
    CURLOPT_STDERR,
    CURLOPT_VERBOSE,
    CURLOPT_SSL_VERIFYPEER,
    CURLOPT_PROXY,
    CURLOPT_CAINFO,
    CURLOPT_POST,
    CURLOPT_POSTFIELDS,
    CURLOPT_FAILONERROR
  } CURLoption;

typedef size_t (*write_func)(char *buffer,size_t size,
			     size_t nitems,void *outstream);

typedef struct
{
  char *url;
  char *auth;
  char *errorbuffer;
  char *proxy;
  write_func writer;
  void *file;
  char *postfields;
  unsigned int status;
  FILE *errors;
  struct
  {
    unsigned int post:1;
    unsigned int failonerror:1;
    unsigned int verbose:1;
  } flags;
  http_t hd;
} CURL;

typedef struct
{
  const char **protocols;
} curl_version_info_data; 

#define CURL_ERROR_SIZE 256
#define CURL_GLOBAL_DEFAULT 0
#define CURLVERSION_NOW 0

CURLcode curl_global_init(long flags);
void curl_global_cleanup(void);
CURL *curl_easy_init(void);
CURLcode curl_easy_setopt(CURL *curl,CURLoption option,...);
CURLcode curl_easy_perform(CURL *curl);
void curl_easy_cleanup(CURL *curl);
char *curl_escape(char *str,int len);
#define curl_free(x) free(x)
#define curl_version() "GnuPG curl-shim "VERSION
curl_version_info_data *curl_version_info(int type);

#endif /* !_CURL_SHIM_H_ */
#+TITLE: GNU Privacy Guard (GnuPG) Made Easy Python Bindings HOWTO (English)
#+AUTHOR: Ben McGinnes
#+LATEX_COMPILER: xelatex
#+LATEX_CLASS: article
#+LATEX_CLASS_OPTIONS: [12pt]
#+LATEX_HEADER: \usepackage{xltxtra}
#+LATEX_HEADER: \usepackage[margin=1in]{geometry}
#+LATEX_HEADER: \setmainfont[Ligatures={Common}]{Times New Roman}
#+LATEX_HEADER: \author{Ben McGinnes <ben@gnupg.org>}
#+HTML_HEAD_EXTRA: <link type="application/rss+xml" href="https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=rss;f=lang/python/docs/GPGMEpythonHOWTOen.org"/>


* Introduction
  :PROPERTIES:
  :CUSTOM_ID: intro
  :END:

| Version:        | 0.1.4                                    |
| GPGME Version:  | 1.12.0-draft                             |
| Author:         | [[https://gnupg.org/people/index.html#sec-1-5][Ben McGinnes]] <ben@gnupg.org>             |
| Author GPG Key: | DB4724E6FA4286C92B4E55C4321E4E2373590E5D |
| Language:       | Australian English, British English      |
| xml:lang:       | en-AU, en-GB, en                         |

This document provides basic instruction in how to use the GPGME
Python bindings to programmatically leverage the GPGME library.


** Python 2 versus Python 3
   :PROPERTIES:
   :CUSTOM_ID: py2-vs-py3
   :END:

Though the GPGME Python bindings themselves provide support for both
Python 2 and 3, the focus is unequivocally on Python 3 and
specifically from Python 3.4 and above.  As a consequence all the
examples and instructions in this guide use Python 3 code.

Much of it will work with Python 2, but much of it also deals with
Python 3 byte literals, particularly when reading and writing data.
Developers concentrating on Python 2.7, and possibly even 2.6, will
need to make the appropriate modifications to support the older string
and unicode types as opposed to bytes.

There are multiple reasons for concentrating on Python 3; some of
which relate to the immediate integration of these bindings, some of
which relate to longer term plans for both GPGME and the python
bindings and some of which relate to the impending EOL period for
Python 2.7.  Essentially, though, there is little value in tying the
bindings to a version of the language which is a dead end and the
advantages offered by Python 3 over Python 2 make handling the data
types with which GPGME deals considerably easier.


** Examples
   :PROPERTIES:
   :CUSTOM_ID: howto-python3-examples
   :END:

All of the examples found in this document can be found as Python 3
scripts in the =lang/python/examples/howto= directory.


** Unofficial Drafts
   :PROPERTIES:
   :CUSTOM_ID: unofficial-drafts
   :END:

In addition to shipping with each release of GPGME, there is a section
on locations to read or download [[#draft-editions][draft editions]] of this document from
at the end of it.  These are unofficial versions produced in between
major releases.


** What's New
   :PROPERTIES:
   :CUSTOM_ID: new-stuff
   :END:

The most obviously new point for those reading this guide is this
section on other new things, but that's hardly important.  Not given
all the other things which spurred the need for adding this section
and its subsections.

*** New in GPGME 1·12·0
    :PROPERTIES:
    :CUSTOM_ID: new-stuff-1-12-0
    :END:

There have been quite a number of additions to GPGME and the Python
bindings to it since the last release of GPGME with versions 1.11.0
and 1.11.1 in April, 2018.

The bullet points of new additiions are:

- an expanded section on [[#installation][installing]] and [[#snafu][troubleshooting]] the Python
  bindings.
- The release of Python 3.7.0; which appears to be working just fine
  with our bindings, in spite of intermittent reports of problems for
  many other Python projects with that new release.
- In order to fix some other issues, there are certain underlying
  functions which are more exposed through the [[#howto-get-context][gpg.Context()]], but
  ongoing documentation ought to clarify that or otherwise provide the
  best means of using the bindings.  Some additions to =gpg.core= and
  the =Context()=, however, were intended (see below).
- Continuing work in identifying and confirming the cause of
  oft-reported [[#snafu-runtime-not-funtime][problems installing the Python bindings on Windows]].
- GSOC: Google's Surreptitiously Ordered Conscription ... erm ... oh,
  right; Google's Summer of Code.  Though there were two hopeful
  candidates this year; only one ended up involved with the GnuPG
  Project directly, the other concentrated on an unrelated third party
  project with closer ties to one of the GNU/Linux distributions than
  to the GnuPG Project.  Thus the Python bindings benefited from GSOC
  participant Jacob Adams, who added the key_import function; building
  on prior work by Tobias Mueller.
- Several new methods functions were added to the gpg.Context(),
  including: [[#howto-import-key][key_import]], [[#howto-export-key][key_export]], [[#howto-export-public-key][key_export_minimal]] and
  [[#howto-export-secret-key][key_export_secret]].
- Importing and exporting examples include versions integrated with
  Marcel Fest's recently released [[https://github.com/Selfnet/hkp4py][HKP for Python]] module.  Some
  [[#hkp4py][additional notes on this module]] are included at the end of the HOWTO.
- Instructions for dealing with semi-walled garden implementations
  like ProtonMail are also included.  This is intended to make things
  a little easier when communicating with users of ProtonMail's
  services and should not be construed as an endorsement of said
  service.  The GnuPG Project neither favours, nor disfavours
  ProtonMail and the majority of this deals with interacting with the
  ProtonMail keyserver.
- Semi-formalised the location where [[#draft-editions][draft versions]] of this HOWTO may
  periodically be accessible.  This is both for the reference of
  others and testing the publishing of the document itself.
- Added a new section for [[#advanced-use][advanced or experimental use]].
- Began the advanced use cases with [[#cython][a section]] on using the module with
  [[http://cython.org/][Cython]].


* GPGME Concepts
  :PROPERTIES:
  :CUSTOM_ID: gpgme-concepts
  :END:


** A C API
   :PROPERTIES:
   :CUSTOM_ID: gpgme-c-api
   :END:

Unlike many modern APIs with which programmers will be more familiar
with these days, the GPGME API is a C API.  The API is intended for
use by C coders who would be able to access its features by including
the =gpgme.h= header file with their own C source code and then access
its functions just as they would any other C headers.

This is a very effective method of gaining complete access to the API
and in the most efficient manner possible.  It does, however, have the
drawback that it cannot be directly used by other languages without
some means of providing an interface to those languages.  This is
where the need for bindings in various languages stems.


** Python bindings
   :PROPERTIES:
   :CUSTOM_ID: gpgme-python-bindings
   :END:

The Python bindings for GPGME provide a higher level means of
accessing the complete feature set of GPGME itself.  It also provides
a more pythonic means of calling these API functions.

The bindings are generated dynamically with SWIG and the copy of
=gpgme.h= generated when GPGME is compiled.

This means that a version of the Python bindings is fundamentally tied
to the exact same version of GPGME used to generate that copy of
=gpgme.h=.


** Difference between the Python bindings and other GnuPG Python packages
   :PROPERTIES:
   :CUSTOM_ID: gpgme-python-bindings-diffs
   :END:

There have been numerous attempts to add GnuPG support to Python over
the years.  Some of the most well known are listed here, along with
what differentiates them.


*** The python-gnupg package maintained by Vinay Sajip
    :PROPERTIES:
    :CUSTOM_ID: diffs-python-gnupg
    :END:

This is arguably the most popular means of integrating GPG with
Python.  The package utilises the =subprocess= module to implement
wrappers for the =gpg= and =gpg2= executables normally invoked on the
command line (=gpg.exe= and =gpg2.exe= on Windows).

The popularity of this package stemmed from its ease of use and
capability in providing the most commonly required features.

Unfortunately it has been beset by a number of security issues in the
past; most of which stemmed from using unsafe methods of accessing the
command line via the =subprocess= calls.  While some effort has been
made over the last two to three years (as of 2018) to mitigate this,
particularly by no longer providing shell access through those
subprocess calls, the wrapper is still somewhat limited in the scope
of its GnuPG features coverage.

The python-gnupg package is available under the MIT license.


*** The gnupg package created and maintained by Isis Lovecruft
    :PROPERTIES:
    :CUSTOM_ID: diffs-isis-gnupg
    :END:

In 2015 Isis Lovecruft from the Tor Project forked and then
re-implemented the python-gnupg package as just gnupg.  This new
package also relied on subprocess to call the =gpg= or =gpg2=
binaries, but did so somewhat more securely.

The naming and version numbering selected for this package, however,
resulted in conflicts with the original python-gnupg and since its
functions were called in a different manner to python-gnupg, the
release of this package also resulted in a great deal of consternation
when people installed what they thought was an upgrade that
subsequently broke the code relying on it.

The gnupg package is available under the GNU General Public License
version 3.0 (or any later version).


*** The PyME package maintained by Martin Albrecht
    :PROPERTIES:
    :CUSTOM_ID: diffs-pyme
    :END:

This package is the origin of these bindings, though they are somewhat
different now.  For details of when and how the PyME package was
folded back into GPGME itself see the /Short History/ document[fn:1]
in the Python bindings =docs= directory.[fn:2]

The PyME package was first released in 2002 and was also the first
attempt to implement a low level binding to GPGME.  In doing so it
provided access to considerably more functionality than either the
=python-gnupg= or =gnupg= packages.

The PyME package is only available for Python 2.6 and 2.7.

Porting the PyME package to Python 3.4 in 2015 is what resulted in it
being folded into the GPGME project and the current bindings are the
end result of that effort.

The PyME package is available under the same dual licensing as GPGME
itself: the GNU General Public License version 2.0 (or any later
version) and the GNU Lesser General Public License version 2.1 (or any
later version).


* GPGME Python bindings installation
  :PROPERTIES:
  :CUSTOM_ID: gpgme-python-install
  :END:


** No PyPI
   :PROPERTIES:
   :CUSTOM_ID: do-not-use-pypi
   :END:

Most third-party Python packages and modules are available and
distributed through the Python Package Installer, known as PyPI.

Due to the nature of what these bindings are and how they work, it is
infeasible to install the GPGME Python bindings in the same way.

This is because the bindings use SWIG to dynamically generate C
bindings against =gpgme.h= and =gpgme.h= is generated from
=gpgme.h.in= at compile time when GPGME is built from source.  Thus to
include a package in PyPI which actually built correctly would require
either statically built libraries for every architecture bundled with
it or a full implementation of C for each architecture.

See the additional notes regarding [[#snafu-cffi][CFFI and SWIG]] at the end of this
section for further details.


** Requirements
   :PROPERTIES:
   :CUSTOM_ID: gpgme-python-requirements
   :END:

The GPGME Python bindings only have three requirements:

1. A suitable version of Python 2 or Python 3.  With Python 2 that
   means CPython 2.7 and with Python 3 that means CPython 3.4 or
   higher.
2. [[https://www.swig.org][SWIG]].
3. GPGME itself.  Which also means that all of GPGME's dependencies
   must be installed too.


*** Recommended Additions
   :PROPERTIES:
   :CUSTOM_ID: gpgme-python-recommendations
   :END:

Though none of the following are absolute requirements, they are all
recommended for use with the Python bindings.  In some cases these
recommendations refer to which version(s) of CPython to use the
bindings with, while others refer to third party modules which provide
a significant advantage in some way.

1. If possible, use Python 3 instead of 2.
2. Favour a more recent version of Python since even 3.4 is due to
   reach EOL soon.  In production systems and services, Python 3.6
   should be robust enough to be relied on.
3. If possible add the following Python modules which are not part of
   the standard library: [[http://docs.python-requests.org/en/latest/index.html][Requests]], [[http://cython.org/][Cython]] and [[https://github.com/Selfnet/hkp4py][hkp4py]].  Chances are
   quite high that at least the first one and maybe two of those will
   already be installed.


** Installation
   :PROPERTIES:
   :CUSTOM_ID: installation
   :END:

Installing the Python bindings is effectively achieved by compiling
and installing GPGME itself.

Once SWIG is installed with Python and all the dependencies for GPGME
are installed you only need to confirm that the version(s) of Python
you want the bindings installed for are in your =$PATH=.

By default GPGME will attempt to install the bindings for the most
recent or highest version number of Python 2 and Python 3 it detects
in =$PATH=.  It specifically checks for the =python= and =python3=
executables first and then checks for specific version numbers.

For Python 2 it checks for these executables in this order: =python=,
=python2= and =python2.7=.

For Python 3 it checks for these executables in this order: =python3=,
=python3.6=, =python3.5=, =python3.4= and =python3.7=.[fn:3]


*** Installing GPGME
    :PROPERTIES:
    :CUSTOM_ID: install-gpgme
    :END:

See the GPGME =README= file for details of how to install GPGME from
source.


** Known Issues
   :PROPERTIES:
   :CUSTOM_ID: snafu
   :END:

There are a few known issues with the current build process and the
Python bindings.  For the most part these are easily addressed should
they be encountered.


*** Breaking Builds
    :PROPERTIES:
    :CUSTOM_ID: snafu-a-swig-of-this-builds-character
    :END:

Occasionally when installing GPGME with the Python bindings included
it may be observed that the =make= portion of that process induces a
large very number of warnings and, eventually errors which end that
part of the build process.  Yet following that with =make check= and
=make install= appears to work seamlessly.

The cause of this is related to the way SWIG needs to be called to
dynamically generate the C bindings for GPGME in the first place.  So
the entire process will always produce =lang/python/python2-gpg/= and
=lang/python/python3-gpg/= directories.  These should contain the
build output generated during compilation, including the complete
bindings and module installed into =site-packages=.

Occasionally the errors in the early part or some other conflict
(e.g. not installing as */root/* or */su/*) may result in nothing
being installed to the relevant =site-packages= directory and the
build directory missing a lot of expected files.  Even when this
occurs, the solution is actually quite simple and will always work.

That solution is simply to run the following commands as either the
*root* user or prepended with =sudo -H=[fn:4] in the =lang/python/=
directory:

#+BEGIN_SRC shell
  /path/to/pythonX.Y setup.py build
  /path/to/pythonX.Y setup.py build
  /path/to/pythonX.Y setup.py install
#+END_SRC

Yes, the build command does need to be run twice.  Yes, you still need
to run the potentially failing or incomplete steps during the
=configure=, =make= and =make install= steps with installing GPGME.
This is because those steps generate a lot of essential files needed,
both by and in order to create, the bindings (including both the
=setup.py= and =gpgme.h= files).


**** IMPORTANT Note
     :PROPERTIES:
     :CUSTOM_ID: snafu-swig-build-note
     :END:

If specifying a selected number of languages to create bindings for,
try to leave Python last.  Currently the majority of the other
language bindings are also preceding Python of either version when
listed alphabetically and so that just happens by default currently.

If Python is set to precede one of the other languages then it is
possible that the errors described here may interrupt the build
process before generating bindings for those other languages.  In
these cases it may be preferable to configure all preferred language
bindings separately with alternative =configure= steps for GPGME using
the =--enable-languages=$LANGUAGE= option.


*** Reinstalling Responsibly
    :PROPERTIES:
    :CUSTOM_ID: snafu-lessons-for-the-lazy
    :END:

Regardless of whether you're installing for one version of Python or
several, there will come a point where reinstallation is required.
With most Python module installations, the installed files go into the
relevant site-packages directory and are then forgotten about.  Then
the module is upgraded, the new files are copied over the old and
that's the end of the matter.

While the same is true of these bindings, there have been intermittent
issues observed on some platforms which have benefited significantly
from removing all the previous installations of the bindings before
installing the updated versions.

Removing the previous version(s) is simply a matter of changing to the
relevant =site-packages= directory for the version of Python in
question and removing the =gpg/= directory and any accompanying
egg-info files for that module.

In most cases this will require root or administration privileges on
the system, but the same is true of installing the module in the first
place.


*** Multiple installations
    :PROPERTIES:
    :CUSTOM_ID: snafu-the-full-monty
    :END:

For a veriety of reasons it may be either necessary or just preferable
to install the bindings to alternative installed Python versions which
meet the requirements of these bindings.

On POSIX systems this will generally be most simply achieved by
running the manual installation commands (build, build, install) as
described in the previous section for each Python installation the
bindings need to be installed to.

As per the SWIG documentation: the compilers, libraries and runtime
used to build GPGME and the Python Bindings *must* match those used to
compile Python itself, including the version number(s) (at least going
by major version numbers and probably minor numbers too).

On most POSIX systems, including OS X, this will very likely be the
case in most, if not all, cases.


*** Won't Work With Windows
    :PROPERTIES:
    :CUSTOM_ID: snafu-runtime-not-funtime
    :END:

There are semi-regular reports of Windows users having considerable
difficulty in installing and using the Python bindings at all.  Very
often, possibly even always, these reports come from Cygwin users
and/or MinGW users and/or Msys2 users.  Though not all of them have
been confirmed, it appears that these reports have also come from
people who installed Python using the Windows installer files from the
[[https://python.org][Python website]] (i.e. mostly MSI installers, sometimes self-extracting
=.exe= files).

The Windows versions of Python are not built using Cygwin, MinGW or
Msys2; they're built using Microsoft Visual Studio.  Furthermore the
version used is /considerably/ more advanced than the version which
MinGW obtained a small number of files from many years ago in order to
be able to compile anything at all.  Not only that, but there are
changes to the version of Visual Studio between some micro releases,
though that is is particularly the case with Python 2.7, since it has
been kept around far longer than it should have been.

There are two theoretical solutions to this issue:

 1. Compile and install the GnuPG stack, including GPGME and the
    Python bibdings using the same version of Microsoft Visual Studio
    used by the Python Foundation to compile the version of Python
    installed.

    If there are multiple versions of Python then this will need to be
    done with each different version of Visual Studio used.

 2. Compile and install Python using the same tools used by choice,
    such as MinGW or Msys2.

Do *not* use the official Windows installer for Python unless
following the first method.

In this type of situation it may even be for the best to accept that
there are less limitations on permissive software than free software
and simply opt to use a recent version of the Community Edition of
Microsoft Visual Studio to compile and build all of it, no matter
what.

Investigations into the extent or the limitations of this issue are
ongoing.


*** CFFI is the Best™ and GPGME should use it instead of SWIG
    :PROPERTIES:
    :CUSTOM_ID: snafu-cffi
    :END:

There are many reasons for favouring [[https://cffi.readthedocs.io/en/latest/overview.html][CFFI]] and proponents of it are
quite happy to repeat these things as if all it would take to switch
from SWIG to CFFI is repeating that list as if it were a new concept.

The fact is that there are things which Python's CFFI implementation
cannot handle in the GPGME C code.  Beyond that there are features of
SWIG which are simply not available with CFFI at all.  SWIG generates
the bindings to Python using the =gpgme.h= file, but that file is not
a single version shipped with each release, it too is generated when
GPGME is compiled.

CFFI is currently unable to adapt to such a potentially mutable
codebase.  If there were some means of applying SWIG's dynamic code
generation to produce the Python/CFFI API modes of accessing the GPGME
libraries (or the source source code directly), but such a thing does
not exist yet either and it currently appears that work is needed in
at least one of CFFI's dependencies before any of this can be
addressed.

So if you're a massive fan of CFFI; that's great, but if you want this
project to switch to CFFI then rather than just insisting that it
should, I'd suggest you volunteer to bring CFFI up to the level this
project needs.

If you're actually seriously considering doing so, then I'd suggest
taking the =gpgme-tool.c= file in the GPGME =src/= directory and
getting that to work with any of the CFFI API methods (not the ABI
methods, they'll work with pretty much anything).  When you start
running into trouble with "ifdefs" then you'll know what sort of
things are lacking.  That doesn't even take into account the amount of
work saved via SWIG's code generation techniques either.


* Fundamentals
  :PROPERTIES:
  :CUSTOM_ID: howto-fund-a-mental
  :END:

Before we can get to the fun stuff, there are a few matters regarding
GPGME's design which hold true whether you're dealing with the C code
directly or these Python bindings.


** No REST
   :PROPERTIES:
   :CUSTOM_ID: no-rest-for-the-wicked
   :END:

The first part of which is or will be fairly blatantly obvious upon
viewing the first example, but it's worth reiterating anyway.  That
being that this API is /*not*/ a REST API.  Nor indeed could it ever
be one.

Most, if not all, Python programmers (and not just Python programmers)
know how easy it is to work with a RESTful API.  In fact they've
become so popular that many other APIs attempt to emulate REST-like
behaviour as much as they are able.  Right down to the use of JSON
formatted output to facilitate the use of their API without having to
retrain developers.

This API does not do that.  It would not be able to do that and also
provide access to the entire C API on which it's built.  It does,
however, provide a very pythonic interface on top of the direct
bindings and it's this pythonic layer that this HOWTO deals with.


** Context
   :PROPERTIES:
   :CUSTOM_ID: howto-get-context
   :END:

One of the reasons which prevents this API from being RESTful is that
most operations require more than one instruction to the API to
perform the task.  Sure, there are certain functions which can be
performed simultaneously, particularly if the result known or strongly
anticipated (e.g. selecting and encrypting to a key known to be in the
public keybox).

There are many more, however, which cannot be manipulated so readily:
they must be performed in a specific sequence and the result of one
operation has a direct bearing on the outcome of subsequent
operations.  Not merely by generating an error either.

When dealing with this type of persistent state on the web, full of
both the RESTful and REST-like, it's most commonly referred to as a
session.  In GPGME, however, it is called a context and every
operation type has one.


* Working with keys
  :PROPERTIES:
  :CUSTOM_ID: howto-keys
  :END:


** Key selection
   :PROPERTIES:
   :CUSTOM_ID: howto-keys-selection
   :END:

Selecting keys to encrypt to or to sign with will be a common
occurrence when working with GPGMe and the means available for doing
so are quite simple.

They do depend on utilising a Context; however once the data is
recorded in another variable, that Context does not need to be the
same one which subsequent operations are performed.

The easiest way to select a specific key is by searching for that
key's key ID or fingerprint, preferably the full fingerprint without
any spaces in it.  A long key ID will probably be okay, but is not
advised and short key IDs are already a problem with some being
generated to match specific patterns.  It does not matter whether the
pattern is upper or lower case.

So this is the best method:

#+BEGIN_SRC python -i
import gpg

k = gpg.Context().keylist(pattern="258E88DCBD3CD44D8E7AB43F6ECB6AF0DEADBEEF")
keys = list(k)
#+END_SRC

This is passable and very likely to be common:

#+BEGIN_SRC python -i
import gpg

k = gpg.Context().keylist(pattern="0x6ECB6AF0DEADBEEF")
keys = list(k)
#+END_SRC

And this is a really bad idea:

#+BEGIN_SRC python -i
import gpg

k = gpg.Context().keylist(pattern="0xDEADBEEF")
keys = list(k)
#+END_SRC

Alternatively it may be that the intention is to create a list of keys
which all match a particular search string.  For instance all the
addresses at a particular domain, like this:

#+BEGIN_SRC python -i
import gpg

ncsc = gpg.Context().keylist(pattern="ncsc.mil")
nsa = list(ncsc)
#+END_SRC


*** Counting keys
    :PROPERTIES:
    :CUSTOM_ID: howto-keys-counting
    :END:

Counting the number of keys in your public keybox (=pubring.kbx=), the
format which has superseded the old keyring format (=pubring.gpg= and
=secring.gpg=), or the number of secret keys is a very simple task.

#+BEGIN_SRC python -i
import gpg

c = gpg.Context()
seckeys = c.keylist(pattern=None, secret=True)
pubkeys = c.keylist(pattern=None, secret=False)

seclist = list(seckeys)
secnum = len(seclist)

publist = list(pubkeys)
pubnum = len(publist)

print("""
  Number of secret keys:  {0}
  Number of public keys:  {1}
""".format(secnum, pubnum))
#+END_SRC


** Get key
   :PROPERTIES:
   :CUSTOM_ID: howto-get-key
   :END:

An alternative method of getting a single key via its fingerprint is
available directly within a Context with =Context().get_key=.  This is
the preferred method of selecting a key in order to modify it, sign or
certify it and for obtaining relevant data about a single key as a
part of other functions; when verifying a signature made by that key,
for instance.

By default this method will select public keys, but it can select
secret keys as well.

This first example demonstrates selecting the current key of Werner
Koch, which is due to expire at the end of 2018:

#+BEGIN_SRC python -i
import gpg

fingerprint = "80615870F5BAD690333686D0F2AD85AC1E42B367"
key = gpg.Context().get_key(fingerprint)
#+END_SRC

Whereas this example demonstrates selecting the author's current key
with the =secret= key word argument set to =True=:

#+BEGIN_SRC python -i
import gpg

fingerprint = "DB4724E6FA4286C92B4E55C4321E4E2373590E5D"
key = gpg.Context().get_key(fingerprint, secret=True)
#+END_SRC

It is, of course, quite possible to select expired, disabled and
revoked keys with this function, but only to effectively display
information about those keys.

It is also possible to use both unicode or string literals and byte
literals with the fingerprint when getting a key in this way.


** Importing keys
   :PROPERTIES:
   :CUSTOM_ID: howto-import-key
   :END:

Importing keys is possible with the =key_import()= method and takes
one argument which is a bytes literal object containing either the
binary or ASCII armoured key data for one or more keys.

The following example retrieves one or more keys from the SKS
keyservers via the web using the requests module.  Since requests
returns the content as a bytes literal object, we can then use that
directly to import the resulting data into our keybox.

#+BEGIN_SRC python -i
import gpg
import os.path
import requests

c = gpg.Context()
url = "https://sks-keyservers.net/pks/lookup"
pattern = input("Enter the pattern to search for key or user IDs: ")
payload = {"op": "get", "search": pattern}

r = requests.get(url, verify=True, params=payload)
result = c.key_import(r.content)

if result is not None and hasattr(result, "considered") is False:
    print(result)
elif result is not None and hasattr(result, "considered") is True:
    num_keys = len(result.imports)
    new_revs = result.new_revocations
    new_sigs = result.new_signatures
    new_subs = result.new_sub_keys
    new_uids = result.new_user_ids
    new_scrt = result.secret_imported
    nochange = result.unchanged
    print("""
  The total number of keys considered for import was:  {0}

     Number of keys revoked:  {1}
   Number of new signatures:  {2}
      Number of new subkeys:  {3}
     Number of new user IDs:  {4}
  Number of new secret keys:  {5}
   Number of unchanged keys:  {6}

  The key IDs for all considered keys were:
""".format(num_keys, new_revs, new_sigs, new_subs, new_uids, new_scrt,
           nochange))
    for i in range(num_keys):
        print("{0}\n".format(result.imports[i].fpr))
else:
    pass
#+END_SRC

*NOTE:* When searching for a key ID of any length or a fingerprint
(without spaces), the SKS servers require the the leading =0x=
indicative of hexadecimal be included.  Also note that the old short
key IDs (e.g. =0xDEADBEEF=) should no longer be used due to the
relative ease by which such key IDs can be reproduced, as demonstrated
by the Evil32 Project in 2014 (which was subsequently exploited in
2016).


*** Working with ProtonMail
    :PROPERTIES:
    :CUSTOM_ID: import-protonmail
    :END:

Here is a variation on the example above which checks the constrained
ProtonMail keyserver for ProtonMail public keys.

#+BEGIN_SRC python -i
import gpg
import requests
import sys

print("""
This script searches the ProtonMail key server for the specified key and
imports it.
""")

c = gpg.Context(armor=True)
url = "https://api.protonmail.ch/pks/lookup"
ksearch = []

if len(sys.argv) >= 2:
    keyterm = sys.argv[1]
else:
    keyterm = input("Enter the key ID, UID or search string: ")

if keyterm.count("@") == 2 and keyterm.startswith("@") is True:
    ksearch.append(keyterm[1:])
    ksearch.append(keyterm[1:])
    ksearch.append(keyterm[1:])
elif keyterm.count("@") == 1 and keyterm.startswith("@") is True:
    ksearch.append("{0}@protonmail.com".format(keyterm[1:]))
    ksearch.append("{0}@protonmail.ch".format(keyterm[1:]))
    ksearch.append("{0}@pm.me".format(keyterm[1:]))
elif keyterm.count("@") == 0:
    ksearch.append("{0}@protonmail.com".format(keyterm))
    ksearch.append("{0}@protonmail.ch".format(keyterm))
    ksearch.append("{0}@pm.me".format(keyterm))
elif keyterm.count("@") == 2 and keyterm.startswith("@") is False:
    uidlist = keyterm.split("@")
    for uid in uidlist:
        ksearch.append("{0}@protonmail.com".format(uid))
        ksearch.append("{0}@protonmail.ch".format(uid))
        ksearch.append("{0}@pm.me".format(uid))
elif keyterm.count("@") > 2:
    uidlist = keyterm.split("@")
    for uid in uidlist:
        ksearch.append("{0}@protonmail.com".format(uid))
        ksearch.append("{0}@protonmail.ch".format(uid))
        ksearch.append("{0}@pm.me".format(uid))
else:
    ksearch.append(keyterm)

for k in ksearch:
    payload = {"op": "get", "search": k}
    try:
        r = requests.get(url, verify=True, params=payload)
        if r.ok is True:
            result = c.key_import(r.content)
        elif r.ok is False:
            result = r.content
    except Exception as e:
        result = None

    if result is not None and hasattr(result, "considered") is False:
        print("{0} for {1}".format(result.decode(), k))
    elif result is not None and hasattr(result, "considered") is True:
        num_keys = len(result.imports)
        new_revs = result.new_revocations
        new_sigs = result.new_signatures
        new_subs = result.new_sub_keys
        new_uids = result.new_user_ids
        new_scrt = result.secret_imported
        nochange = result.unchanged
        print("""
The total number of keys considered for import was:  {0}

With UIDs wholely or partially matching the following string:

        {1}

   Number of keys revoked:  {2}
 Number of new signatures:  {3}
    Number of new subkeys:  {4}
   Number of new user IDs:  {5}
Number of new secret keys:  {6}
 Number of unchanged keys:  {7}

The key IDs for all considered keys were:
""".format(num_keys, k, new_revs, new_sigs, new_subs, new_uids, new_scrt,
           nochange))
        for i in range(num_keys):
            print(result.imports[i].fpr)
        print("")
    elif result is None:
        print(e)
#+END_SRC

Both the above example, [[../examples/howto/pmkey-import.py][pmkey-import.py]], and a version which prompts
for an alternative GnuPG home directory, [[../examples/howto/pmkey-import-alt.py][pmkey-import-alt.py]], are
available with the other examples and are executable scripts.

Note that while the ProtonMail servers are based on the SKS servers,
their server is related more to their API and is not feature complete
by comparison to the servers in the SKS pool.  One notable difference
being that the ProtonMail server does not permit non ProtonMail users
to update their own keys, which could be a vector for attacking
ProtonMail users who may not receive a key's revocation if it had been
compromised.


*** Importing with HKP for Python
    :PROPERTIES:
    :CUSTOM_ID: import-hkp4py
    :END:

Performing the same tasks with the [[https://github.com/Selfnet/hkp4py][hkp4py module]] (available via PyPI)
is not too much different, but does provide a number of options of
benefit to end users.  Not least of which being the ability to perform
some checks on a key before importing it or not.  For instance it may
be the policy of a site or project to only import keys which have not
been revoked.  The hkp4py module permits such checks prior to the
importing of the keys found.

#+BEGIN_SRC python -i
import gpg
import hkp4py
import sys

c = gpg.Context()
server = hkp4py.KeyServer("hkps://hkps.pool.sks-keyservers.net")
results = []

if len(sys.argv) > 2:
    pattern = " ".join(sys.argv[1:])
elif len(sys.argv) == 2:
    pattern = sys.argv[1]
else:
    pattern = input("Enter the pattern to search for keys or user IDs: ")

try:
    keys = server.search(pattern)
    print("Found {0} key(s).".format(len(keys)))
except Exception as e:
    keys = []
    for logrus in pattern.split():
        if logrus.startswith("0x") is True:
            key = server.search(logrus)
        else:
            key = server.search("0x{0}".format(logrus))
        keys.append(key[0])
    print("Found {0} key(s).".format(len(keys)))

for key in keys:
    import_result = c.key_import(key.key_blob)
    results.append(import_result)

for result in results:
    if result is not None and hasattr(result, "considered") is False:
        print(result)
    elif result is not None and hasattr(result, "considered") is True:
        num_keys = len(result.imports)
        new_revs = result.new_revocations
        new_sigs = result.new_signatures
        new_subs = result.new_sub_keys
        new_uids = result.new_user_ids
        new_scrt = result.secret_imported
        nochange = result.unchanged
        print("""
The total number of keys considered for import was:  {0}

   Number of keys revoked:  {1}
 Number of new signatures:  {2}
    Number of new subkeys:  {3}
   Number of new user IDs:  {4}
Number of new secret keys:  {5}
 Number of unchanged keys:  {6}

The key IDs for all considered keys were:
""".format(num_keys, new_revs, new_sigs, new_subs, new_uids, new_scrt,
           nochange))
        for i in range(num_keys):
            print(result.imports[i].fpr)
        print("")
    else:
        pass
#+END_SRC

Since the hkp4py module handles multiple keys just as effectively as
one (=keys= is a list of responses per matching key), the example
above is able to do a little bit more with the returned data before
anything is actually imported.


*** Importing from ProtonMail with HKP for Python
    :PROPERTIES:
    :CUSTOM_ID: import-protonmail-hkp4py
    :END:

Though this can provide certain benefits even when working with
ProtonMail, the scope is somewhat constrained there due to the
limitations of the ProtonMail keyserver.

For instance, searching the SKS keyserver pool for the term "gnupg"
produces hundreds of results from any time the word appears in any
part of a user ID.  Performing the same search on the ProtonMail
keyserver returns zero results, even though there are at least two
test accounts which include it as part of the username.

The cause of this discrepancy is the deliberate configuration of that
server by ProtonMail to require an exact match of the full email
address of the ProtonMail user whose key is being requested.
Presumably this is intended to reduce breaches of privacy of their
users as an email address must already be known before a key for that
address can be obtained.


**** Import from ProtonMail via HKP for Python Example no. 1
     :PROPERTIES:
     :CUSTOM_ID: import-hkp4py-pm1
     :END:

The following script is avalable with the rest of the examples under
the somewhat less than original name, =pmkey-import-hkp.py=.

#+BEGIN_SRC python -i
import gpg
import hkp4py
import os.path
import sys

print("""
This script searches the ProtonMail key server for the specified key and
imports it.

Usage:  pmkey-import-hkp.py [search strings]
""")

c = gpg.Context(armor=True)
server = hkp4py.KeyServer("hkps://api.protonmail.ch")
keyterms = []
ksearch = []
allkeys = []
results = []
paradox = []
homeless = None

if len(sys.argv) > 2:
    keyterms = sys.argv[1:]
elif len(sys.argv) == 2:
    keyterm = sys.argv[1]
    keyterms.append(keyterm)
else:
    key_term = input("Enter the key ID, UID or search string: ")
    keyterms = key_term.split()

for keyterm in keyterms:
    if keyterm.count("@") == 2 and keyterm.startswith("@") is True:
        ksearch.append(keyterm[1:])
        ksearch.append(keyterm[1:])
        ksearch.append(keyterm[1:])
    elif keyterm.count("@") == 1 and keyterm.startswith("@") is True:
        ksearch.append("{0}@protonmail.com".format(keyterm[1:]))
        ksearch.append("{0}@protonmail.ch".format(keyterm[1:]))
        ksearch.append("{0}@pm.me".format(keyterm[1:]))
    elif keyterm.count("@") == 0:
        ksearch.append("{0}@protonmail.com".format(keyterm))
        ksearch.append("{0}@protonmail.ch".format(keyterm))
        ksearch.append("{0}@pm.me".format(keyterm))
    elif keyterm.count("@") == 2 and keyterm.startswith("@") is False:
        uidlist = keyterm.split("@")
        for uid in uidlist:
            ksearch.append("{0}@protonmail.com".format(uid))
            ksearch.append("{0}@protonmail.ch".format(uid))
            ksearch.append("{0}@pm.me".format(uid))
    elif keyterm.count("@") > 2:
        uidlist = keyterm.split("@")
        for uid in uidlist:
            ksearch.append("{0}@protonmail.com".format(uid))
            ksearch.append("{0}@protonmail.ch".format(uid))
            ksearch.append("{0}@pm.me".format(uid))
    else:
        ksearch.append(keyterm)

for k in ksearch:
    print("Checking for key for: {0}".format(k))
    try:
        keys = server.search(k)
        if isinstance(keys, list) is True:
            for key in keys:
                allkeys.append(key)
                try:
                    import_result = c.key_import(key.key_blob)
                except Exception as e:
                    import_result = c.key_import(key.key)
        else:
            paradox.append(keys)
            import_result = None
    except Exception as e:
        import_result = None
    results.append(import_result)

for result in results:
    if result is not None and hasattr(result, "considered") is False:
        print("{0} for {1}".format(result.decode(), k))
    elif result is not None and hasattr(result, "considered") is True:
        num_keys = len(result.imports)
        new_revs = result.new_revocations
        new_sigs = result.new_signatures
        new_subs = result.new_sub_keys
        new_uids = result.new_user_ids
        new_scrt = result.secret_imported
        nochange = result.unchanged
        print("""
The total number of keys considered for import was:  {0}

With UIDs wholely or partially matching the following string:

        {1}

   Number of keys revoked:  {2}
 Number of new signatures:  {3}
    Number of new subkeys:  {4}
   Number of new user IDs:  {5}
Number of new secret keys:  {6}
 Number of unchanged keys:  {7}

The key IDs for all considered keys were:
""".format(num_keys, k, new_revs, new_sigs, new_subs, new_uids, new_scrt,
           nochange))
        for i in range(num_keys):
            print(result.imports[i].fpr)
        print("")
    elif result is None:
        pass
#+END_SRC


**** Import from ProtonMail via HKP for Python Example no. 2
     :PROPERTIES:
     :CUSTOM_ID: import-hkp4py-pm2
     :END:

Like its counterpart above, this script can also be found with the
rest of the examples, by the name pmkey-import-hkp-alt.py.

With this script a modicum of effort has been made to treat anything
passed as a =homedir= which either does not exist or which is not a
directory, as also being a pssible user ID to check for.  It's not
guaranteed to pick up on all such cases, but it should cover most of
them.

#+BEGIN_SRC python -i
import gpg
import hkp4py
import os.path
import sys

print("""
This script searches the ProtonMail key server for the specified key and
imports it.  Optionally enables specifying a different GnuPG home directory.

Usage:  pmkey-import-hkp.py [homedir] [search string]
   or:  pmkey-import-hkp.py [search string]
""")

c = gpg.Context(armor=True)
server = hkp4py.KeyServer("hkps://api.protonmail.ch")
keyterms = []
ksearch = []
allkeys = []
results = []
paradox = []
homeless = None

if len(sys.argv) > 3:
    homedir = sys.argv[1]
    keyterms = sys.argv[2:]
elif len(sys.argv) == 3:
    homedir = sys.argv[1]
    keyterm = sys.argv[2]
    keyterms.append(keyterm)
elif len(sys.argv) == 2:
    homedir = ""
    keyterm = sys.argv[1]
    keyterms.append(keyterm)
else:
    keyterm = input("Enter the key ID, UID or search string: ")
    homedir = input("Enter the GPG configuration directory path (optional): ")
    keyterms.append(keyterm)

if len(homedir) == 0:
    homedir = None
    homeless = False

if homedir is not None:
    if homedir.startswith("~"):
        if os.path.exists(os.path.expanduser(homedir)) is True:
            if os.path.isdir(os.path.expanduser(homedir)) is True:
                c.home_dir = os.path.realpath(os.path.expanduser(homedir))
            else:
                homeless = True
        else:
            homeless = True
    elif os.path.exists(os.path.realpath(homedir)) is True:
        if os.path.isdir(os.path.realpath(homedir)) is True:
            c.home_dir = os.path.realpath(homedir)
        else:
            homeless = True
    else:
        homeless = True

# First check to see if the homedir really is a homedir and if not, treat it as
# a search string.
if homeless is True:
    keyterms.append(homedir)
    c.home_dir = None
else:
    pass

for keyterm in keyterms:
    if keyterm.count("@") == 2 and keyterm.startswith("@") is True:
        ksearch.append(keyterm[1:])
        ksearch.append(keyterm[1:])
        ksearch.append(keyterm[1:])
    elif keyterm.count("@") == 1 and keyterm.startswith("@") is True:
        ksearch.append("{0}@protonmail.com".format(keyterm[1:]))
        ksearch.append("{0}@protonmail.ch".format(keyterm[1:]))
        ksearch.append("{0}@pm.me".format(keyterm[1:]))
    elif keyterm.count("@") == 0:
        ksearch.append("{0}@protonmail.com".format(keyterm))
        ksearch.append("{0}@protonmail.ch".format(keyterm))
        ksearch.append("{0}@pm.me".format(keyterm))
    elif keyterm.count("@") == 2 and keyterm.startswith("@") is False:
        uidlist = keyterm.split("@")
        for uid in uidlist:
            ksearch.append("{0}@protonmail.com".format(uid))
            ksearch.append("{0}@protonmail.ch".format(uid))
            ksearch.append("{0}@pm.me".format(uid))
    elif keyterm.count("@") > 2:
        uidlist = keyterm.split("@")
        for uid in uidlist:
            ksearch.append("{0}@protonmail.com".format(uid))
            ksearch.append("{0}@protonmail.ch".format(uid))
            ksearch.append("{0}@pm.me".format(uid))
    else:
        ksearch.append(keyterm)

for k in ksearch:
    print("Checking for key for: {0}".format(k))
    try:
        keys = server.search(k)
        if isinstance(keys, list) is True:
            for key in keys:
                allkeys.append(key)
                try:
                    import_result = c.key_import(key.key_blob)
                except Exception as e:
                    import_result = c.key_import(key.key)
        else:
            paradox.append(keys)
            import_result = None
    except Exception as e:
        import_result = None
    results.append(import_result)

for result in results:
    if result is not None and hasattr(result, "considered") is False:
        print("{0} for {1}".format(result.decode(), k))
    elif result is not None and hasattr(result, "considered") is True:
        num_keys = len(result.imports)
        new_revs = result.new_revocations
        new_sigs = result.new_signatures
        new_subs = result.new_sub_keys
        new_uids = result.new_user_ids
        new_scrt = result.secret_imported
        nochange = result.unchanged
        print("""
The total number of keys considered for import was:  {0}

With UIDs wholely or partially matching the following string:

        {1}

   Number of keys revoked:  {2}
 Number of new signatures:  {3}
    Number of new subkeys:  {4}
   Number of new user IDs:  {5}
Number of new secret keys:  {6}
 Number of unchanged keys:  {7}

The key IDs for all considered keys were:
""".format(num_keys, k, new_revs, new_sigs, new_subs, new_uids, new_scrt,
           nochange))
        for i in range(num_keys):
            print(result.imports[i].fpr)
        print("")
    elif result is None:
        pass
#+END_SRC


** Exporting keys
   :PROPERTIES:
   :CUSTOM_ID: howto-export-key
   :END:

Exporting keys remains a reasonably simple task, but has been
separated into three different functions for the OpenPGP cryptographic
engine.  Two of those functions are for exporting public keys and the
third is for exporting secret keys.


*** Exporting public keys
    :PROPERTIES:
    :CUSTOM_ID: howto-export-public-key
    :END:

There are two methods of exporting public keys, both of which are very
similar to the other.  The default method, =key_export()=, will export
a public key or keys matching a specified pattern as normal.  The
alternative, the =key_export_minimal()= method, will do the same thing
except producing a minimised output with extra signatures and third
party signatures or certifications removed.

#+BEGIN_SRC python -i
import gpg
import os.path
import sys

print("""
This script exports one or more public keys.
""")

c = gpg.Context(armor=True)

if len(sys.argv) >= 4:
    keyfile = sys.argv[1]
    logrus = sys.argv[2]
    homedir = sys.argv[3]
elif len(sys.argv) == 3:
    keyfile = sys.argv[1]
    logrus = sys.argv[2]
    homedir = input("Enter the GPG configuration directory path (optional): ")
elif len(sys.argv) == 2:
    keyfile = sys.argv[1]
    logrus = input("Enter the UID matching the key(s) to export: ")
    homedir = input("Enter the GPG configuration directory path (optional): ")
else:
    keyfile = input("Enter the path and filename to save the secret key to: ")
    logrus = input("Enter the UID matching the key(s) to export: ")
    homedir = input("Enter the GPG configuration directory path (optional): ")

if homedir.startswith("~"):
    if os.path.exists(os.path.expanduser(homedir)) is True:
        c.home_dir = os.path.expanduser(homedir)
    else:
        pass
elif os.path.exists(homedir) is True:
    c.home_dir = homedir
else:
    pass

try:
    result = c.key_export(pattern=logrus)
except:
    result = c.key_export(pattern=None)

if result is not None:
    with open(keyfile, "wb") as f:
        f.write(result)
else:
    pass
#+END_SRC

It is important to note that the result will only return =None= when a
pattern has been entered for =logrus=, but it has not matched any
keys. When the search pattern itself is set to =None= this triggers
the exporting of the entire public keybox.

#+BEGIN_SRC python -i
import gpg
import os.path
import sys

print("""
This script exports one or more public keys in minimised form.
""")

c = gpg.Context(armor=True)

if len(sys.argv) >= 4:
    keyfile = sys.argv[1]
    logrus = sys.argv[2]
    homedir = sys.argv[3]
elif len(sys.argv) == 3:
    keyfile = sys.argv[1]
    logrus = sys.argv[2]
    homedir = input("Enter the GPG configuration directory path (optional): ")
elif len(sys.argv) == 2:
    keyfile = sys.argv[1]
    logrus = input("Enter the UID matching the key(s) to export: ")
    homedir = input("Enter the GPG configuration directory path (optional): ")
else:
    keyfile = input("Enter the path and filename to save the secret key to: ")
    logrus = input("Enter the UID matching the key(s) to export: ")
    homedir = input("Enter the GPG configuration directory path (optional): ")

if homedir.startswith("~"):
    if os.path.exists(os.path.expanduser(homedir)) is True:
        c.home_dir = os.path.expanduser(homedir)
    else:
        pass
elif os.path.exists(homedir) is True:
    c.home_dir = homedir
else:
    pass

try:
    result = c.key_export_minimal(pattern=logrus)
except:
    result = c.key_export_minimal(pattern=None)

if result is not None:
    with open(keyfile, "wb") as f:
        f.write(result)
else:
    pass
#+END_SRC


*** Exporting secret keys
    :PROPERTIES:
    :CUSTOM_ID: howto-export-secret-key
    :END:

Exporting secret keys is, functionally, very similar to exporting
public keys; save for the invocation of =pinentry= via =gpg-agent= in
order to securely enter the key's passphrase and authorise the export.

The following example exports the secret key to a file which is then
set with the same permissions as the output files created by the
command line secret key export options.

#+BEGIN_SRC python -i
import gpg
import os
import os.path
import sys

print("""
This script exports one or more secret keys.

The gpg-agent and pinentry are invoked to authorise the export.
""")

c = gpg.Context(armor=True)

if len(sys.argv) >= 4:
    keyfile = sys.argv[1]
    logrus = sys.argv[2]
    homedir = sys.argv[3]
elif len(sys.argv) == 3:
    keyfile = sys.argv[1]
    logrus = sys.argv[2]
    homedir = input("Enter the GPG configuration directory path (optional): ")
elif len(sys.argv) == 2:
    keyfile = sys.argv[1]
    logrus = input("Enter the UID matching the secret key(s) to export: ")
    homedir = input("Enter the GPG configuration directory path (optional): ")
else:
    keyfile = input("Enter the path and filename to save the secret key to: ")
    logrus = input("Enter the UID matching the secret key(s) to export: ")
    homedir = input("Enter the GPG configuration directory path (optional): ")

if len(homedir) == 0:
    homedir = None
elif homedir.startswith("~"):
    userdir = os.path.expanduser(homedir)
    if os.path.exists(userdir) is True:
        homedir = os.path.realpath(userdir)
    else:
        homedir = None
else:
    homedir = os.path.realpath(homedir)

if os.path.exists(homedir) is False:
    homedir = None
else:
    if os.path.isdir(homedir) is False:
        homedir = None
    else:
        pass

if homedir is not None:
    c.home_dir = homedir
else:
    pass

try:
    result = c.key_export_secret(pattern=logrus)
except:
    result = c.key_export_secret(pattern=None)

if result is not None:
    with open(keyfile, "wb") as f:
        f.write(result)
    os.chmod(keyfile, 0o600)
else:
    pass
#+END_SRC

Alternatively the approach of the following script can be used.  This
longer example saves the exported secret key(s) in files in the GnuPG
home directory, in addition to setting the file permissions as only
readable and writable by the user.  It also exports the secret key(s)
twice in order to output both GPG binary (=.gpg=) and ASCII armoured
(=.asc=) files.

#+BEGIN_SRC python -i
import gpg
import os
import os.path
import subprocess
import sys

print("""
This script exports one or more secret keys as both ASCII armored and binary
file formats, saved in files within the user's GPG home directory.

The gpg-agent and pinentry are invoked to authorise the export.
""")

if sys.platform == "win32":
    gpgconfcmd = "gpgconf.exe --list-dirs homedir"
else:
    gpgconfcmd = "gpgconf --list-dirs homedir"

a = gpg.Context(armor=True)
b = gpg.Context()
c = gpg.Context()

if len(sys.argv) >= 4:
    keyfile = sys.argv[1]
    logrus = sys.argv[2]
    homedir = sys.argv[3]
elif len(sys.argv) == 3:
    keyfile = sys.argv[1]
    logrus = sys.argv[2]
    homedir = input("Enter the GPG configuration directory path (optional): ")
elif len(sys.argv) == 2:
    keyfile = sys.argv[1]
    logrus = input("Enter the UID matching the secret key(s) to export: ")
    homedir = input("Enter the GPG configuration directory path (optional): ")
else:
    keyfile = input("Enter the filename to save the secret key to: ")
    logrus = input("Enter the UID matching the secret key(s) to export: ")
    homedir = input("Enter the GPG configuration directory path (optional): ")

if len(homedir) == 0:
    homedir = None
elif homedir.startswith("~"):
    userdir = os.path.expanduser(homedir)
    if os.path.exists(userdir) is True:
        homedir = os.path.realpath(userdir)
    else:
        homedir = None
else:
    homedir = os.path.realpath(homedir)

if os.path.exists(homedir) is False:
    homedir = None
else:
    if os.path.isdir(homedir) is False:
        homedir = None
    else:
        pass

if homedir is not None:
    c.home_dir = homedir
else:
    pass

if c.home_dir is not None:
    if c.home_dir.endswith("/"):
        gpgfile = "{0}{1}.gpg".format(c.home_dir, keyfile)
        ascfile = "{0}{1}.asc".format(c.home_dir, keyfile)
    else:
        gpgfile = "{0}/{1}.gpg".format(c.home_dir, keyfile)
        ascfile = "{0}/{1}.asc".format(c.home_dir, keyfile)
else:
    if os.path.exists(os.environ["GNUPGHOME"]) is True:
        hd = os.environ["GNUPGHOME"]
    else:
        try:
            hd = subprocess.getoutput(gpgconfcmd)
        except:
            process = subprocess.Popen(gpgconfcmd.split(),
                                       stdout=subprocess.PIPE)
            procom = process.communicate()
            if sys.version_info[0] == 2:
                hd = procom[0].strip()
            else:
                hd = procom[0].decode().strip()
    gpgfile = "{0}/{1}.gpg".format(hd, keyfile)
    ascfile = "{0}/{1}.asc".format(hd, keyfile)

try:
    a_result = a.key_export_secret(pattern=logrus)
    b_result = b.key_export_secret(pattern=logrus)
except:
    a_result = a.key_export_secret(pattern=None)
    b_result = b.key_export_secret(pattern=None)

if a_result is not None:
    with open(ascfile, "wb") as f:
        f.write(a_result)
    os.chmod(ascfile, 0o600)
else:
    pass

if b_result is not None:
    with open(gpgfile, "wb") as f:
        f.write(b_result)
    os.chmod(gpgfile, 0o600)
else:
    pass
#+END_SRC


*** Sending public keys to the SKS Keyservers
    :PROPERTIES:
    :CUSTOM_ID: howto-send-public-key
    :END:

As with the previous section on importing keys, the =hkp4py= module
adds another option with exporting keys in order to send them to the
public keyservers.

The following example demonstrates how this may be done.

#+BEGIN_SRC python -i
import gpg
import hkp4py
import os.path
import sys

print("""
This script sends one or more public keys to the SKS keyservers and is
essentially a slight variation on the export-key.py script.
""")

c = gpg.Context(armor=True)
server = hkp4py.KeyServer("hkps://hkps.pool.sks-keyservers.net")

if len(sys.argv) > 2:
    logrus = " ".join(sys.argv[1:])
elif len(sys.argv) == 2:
    logrus = sys.argv[1]
else:
    logrus = input("Enter the UID matching the key(s) to send: ")

if len(logrus) > 0:
    try:
        export_result = c.key_export(pattern=logrus)
    except Exception as e:
        print(e)
        export_result = None
else:
    export_result = c.key_export(pattern=None)

if export_result is not None:
    try:
        try:
            send_result = server.add(export_result)
        except:
            send_result = server.add(export_result.decode())
        if send_result is not None:
            print(send_result)
        else:
            pass
    except Exception as e:
        print(e)
else:
    pass
#+END_SRC

An expanded version of this script with additional functions for
specifying an alternative homedir location is in the examples
directory as =send-key-to-keyserver.py=.

The =hkp4py= module appears to handle both string and byte literal text
data equally well, but the GPGME bindings deal primarily with byte
literal data only and so this script sends in that format first, then
tries the string literal form.


* Basic Functions
  :PROPERTIES:
  :CUSTOM_ID: howto-the-basics
  :END:

The most frequently called features of any cryptographic library will
be the most fundamental tasks for encryption software.  In this
section we will look at how to programmatically encrypt data, decrypt
it, sign it and verify signatures.


** Encryption
   :PROPERTIES:
   :CUSTOM_ID: howto-basic-encryption
   :END:

Encrypting is very straight forward.  In the first example below the
message, =text=, is encrypted to a single recipient's key.  In the
second example the message will be encrypted to multiple recipients.


*** Encrypting to one key
    :PROPERTIES:
    :CUSTOM_ID: howto-basic-encryption-single
    :END:

Once the the Context is set the main issues with encrypting data is
essentially reduced to key selection and the keyword arguments
specified in the =gpg.Context().encrypt()= method.

Those keyword arguments are: =recipients=, a list of keys encrypted to
(covered in greater detail in the following section); =sign=, whether
or not to sign the plaintext data, see subsequent sections on signing
and verifying signatures below (defaults to =True=); =sink=, to write
results or partial results to a secure sink instead of returning it
(defaults to =None=); =passphrase=, only used when utilising symmetric
encryption (defaults to =None=); =always_trust=, used to override the
trust model settings for recipient keys (defaults to =False=);
=add_encrypt_to=, utilises any preconfigured =encrypt-to= or
=default-key= settings in the user's =gpg.conf= file (defaults to
=False=); =prepare=, prepare for encryption (defaults to =False=);
=expect_sign=, prepare for signing (defaults to =False=); =compress=,
compresses the plaintext prior to encryption (defaults to =True=).

#+BEGIN_SRC python -i
import gpg

a_key = "0x12345678DEADBEEF"
text = b"""Some text to test with.

Since the text in this case must be bytes, it is most likely that