ANN: A new version (0.4.4) of python-gnupg has been released. It contains a security-related change - please update to this version

Vinay Sajip vinay_sajip at
Thu Jan 24 04:35:19 EST 2019

A new version of the Python module which wraps GnuPG has been released.
What Changed?=============This is an enhancement and security-fix release, and all users are stronglyencouraged to upgrade.
Brief summary:
* Fixed #108: Changed how any return value from the on_data callable is  processed. In earlier versions, the return value was ignored. In this version,  if the return value is False, the data received from gpg is not  buffered. Otherwise (if the value is None or True, for example), the  data is buffered as normal. This functionality can be used to do your own  buffering, or to prevent buffering altogether.
  The on_data callable is also called once with an empty byte-string to  signal the end of data from gpg.
* Fixed #97: Added an additional attribute check_fingerprint_collisions to  GPG instances, which defaults to False. It seems that gpg is happy  to have duplicate keys and fingerprints in a keyring, so we can't be too  strict. A user can set this attribute of an instance to True to trigger a  check for collisions.
* Fixed #111: With GnuPG 2.2.7 or later, provide the fingerprint of a signing  key for a failed signature verification, if available.
* Fixed #21: For verification where multiple signatures are involved, a  mapping of signature_ids to fingerprint, keyid, username, creation date,  creation timestamp and expiry timestamp is provided.
* Added a check to disallow certain control characters ('\r', '\n', NUL) in  passphrases. This fix mitigates against CVE-2019-6690.
This release [2] has been signed with my code signing key:
Vinay Sajip (CODE SIGNING KEY) <vinay_sajip at>Fingerprint: CA74 9061 914E AC13 8E66 EADB 9147 B477 339A 9B86
Recent changes to PyPI don't show the GPG signature with the download links.An alternative download source where the signatures are available is the project'sown downloads page [5].
What Does It Do?================The gnupg module allows Python programs to make use of thefunctionality provided by the Gnu Privacy Guard (abbreviated GPG orGnuPG). Using this module, Python programs can encrypt and decryptdata, digitally sign documents and verify digital signatures, manage(generate, list and delete) encryption keys, using proven Public KeyInfrastructure (PKI) encryption technology based on OpenPGP.
This module is expected to be used with Python versions >= 2.4, as itmakes use of the subprocess module which appeared in that version ofPython. This module is a newer version derived from earlier work byAndrew Kuchling, Richard Jones and Steve Traugott.
A test suite using unittest is included with the source distribution.
Simple usage:
>>> import gnupg>>> gpg = gnupg.GPG(gnupghome='/path/to/keyring/directory')>>> gpg.list_keys()
[{...'fingerprint': 'F819EE7705497D73E3CCEE65197D5DAC68F1AAB2','keyid': '197D5DAC68F1AAB2','length': '1024','type': 'pub','uids': ['', 'Gary Gross (A test user) < at>']},{...'fingerprint': '37F24DD4B918CC264D4F31D60C5FEFA7A921FC4A','keyid': '0C5FEFA7A921FC4A','length': '1024',...'uids': ['', 'Danny Davis (A test user) <danny.da... at>']}]>>> encrypted = gpg.encrypt("Hello, world!", ['0C5FEFA7A921FC4A'])>>> str(encrypted)
'-----BEGIN PGP MESSAGE-----\nVersion: GnuPG v1.4.9 (GNU/Linux)\n\nhQIOA/6NHMDTXUwcEAf.-----END PGP MESSAGE-----\n'>>> decrypted = gpg.decrypt(str(encrypted), passphrase='secret')>>> str(decrypted)
'Hello, world!'>>> signed = gpg.sign("Goodbye, world!", passphrase='secret')>>> verified = gpg.verify(str(signed))>>> print "Verified" if verified else "Not verified"
As always, your feedback is most welcome (especially bug reports [3],patches and suggestions for improvement, or any other points via themailing list/discussion group [4]).
Vinay SajipRed Dove Consultants Ltd.

More information about the Python-announce-list mailing list