GPGME (for python) questions

[Ingo Klöcker]

On Freitag, 23. Oktober 2020 21:48:49 CEST Hammett, Rich via Gnupg-users 
wrote:
> Is there a guide anywhere for what versions of GnuPG are supported by what
> versions of GPGME?

Check the documentation of gpgme. The README of the current version reads
"For support of the OpenPGP and the CMS protocols, you should use the
latest version of GnuPG (>= 2.1.18) , available at:
https://gnupg.org/ftp/gcrypt/gnupg/."

Note that GnuPG 2.1.x is no longer supported (even if it might still work with 
gpgme).

In general, old functionality in gpgme that worked with an old version of 
GnuPG should still work with the latest version of gpgme, but there are no 
guarantees. New functionality of gpgme usually is only developed to work with 
the current GnuPG release (because often the new gpgme API needs new internal 
API in GnuPG and its helpers).

So, if possible, use the most recent GnuPG 2.2 release with the most recent 
release of gpgme.
 
> I only need encryption and decryption as part of an automated software
> framework, and I’m trying to migrate from an existing toolset that uses
> GnuPG v1.4 and python-gnupg.

Note that gpgme now includes the Python bindings.

> We need to be able to pgp encrypt and decrypt
> without human interaction.  I’m working through the various ways to move up
> to more current software, and latest GPGME with latest GnuPG is probably
> the best, if I can figure out the python bindings and if GnuPG works with
> pinentry for automated decryption.

I suggest to check out the tests of the Python bindings, in particular,
t-decrypt.py and t-callbacks.py (for passphrase callbacks).

A common recommendation on this list is to use a passphrase-less secret key 
for automated decryption because this isn't really less secure than storing 
the passphrase in cleartext in some script file next to the secret key.

Another approach is to inject the passphrase into gpg-agent's passphrase cache 
with an unlimited (or near unlimited) expiration time. The latter approach 
requires human interaction (or scripted interaction from another system) for 
entering the passphrase into the cache after every restart of gpg-agent (e.g. 
after a system reboot) and is obviously much more error-prone than a 
passphrase-less key.

> Any tips, any good documents out there?  Are there archives of this list
> somewhere, or is that private for the same reason the subscribers’ list
> is?

The archive of this list is available via the link at the bottom of this 
message (which is added automatically by the mailing list).

Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20201024/0d8accbc/attachment.sig>