batch generation of keypairs by GnuPG

phil hunt philh at comuno.freeserve.co.uk
Wed Jul 4 17:09:15 EDT 2001 

[x-posted to several newsgroups, because I don't know what the
best way to proceed is]

I am developing an email encryption system in Python. (The
details of what it will do are at 
<http://www.vision25.demon.co.uk/oss/herbivore/intro.html> )

It uses public-key encryption. As the encryption engine,
I am using GnuPG, which I am calling from my program using
the system() call.

I am having problems programmatically generating a public/private
keypair using GnuPG. The relevant code segment is:

     
#---------------------------------------------------------------------
  
def createSecretKey(realName, email):
   """ invoke GPG to create a secret key for me """  
   if debug: print "!! in createSecretKey() !!"
   
   # create a tempory file to contain parameters for key creation
   keyCreationParas = """%%secring %s
%%pubring %s
Key-Type: %s
Key-Length: 1024
Expire-Date: 0
Name-Real: %s
Name-Comment: %s
Name-Email: %s 
%%commit
""" % (secPn, pubPn, gpgCreateKeyType, realName, gpgKeyComment, email)

   tmpFilename = os.tempnam(herbDir, "temp_")
   tmpFilename2 = os.tempnam(herbDir, "temp2_")
   utility.writeFile(tmpFilename, keyCreationParas)
   
   #>>>>> invoke GPG to create the key:
   gpgCommand = ("gpg --batch " 
      + "--no-default-keyring --secret-keyring %s --keyring %s "
      + "--gen-key -a %s") % (secPn, pubPn, tmpFilename)
   
   if debug:
      print "!! About to [%s]..." % gpgCommand
   gpgProcess = popen2.Popen3(gpgCommand)
   # GPG is now running as a separate process. We may need to give it
   # a source of entropy. Running tasks in the background is intended
   # to achieve this
   if debug: print "!! returned from Popen3()"

   
   while 1:
      #####was: while gpgProcess.poll() != -1:
      pollValue = gpgProcess.poll()
      
      if debug:
         action = "stopped"
         if pollValue == PROCESS_STILL_RUNNING: action = "continuing..."
         print "!! gpgProcess.poll() => %s, %s" % (pollValue, action)
         
      if pollValue != PROCESS_STILL_RUNNING: break   
         
      # gpg process hasn't finished yet, so execute some tasks
      
      result = commands.getoutput("ps auxw")
      result2 = commands.getoutput("date")
      result3 = commands.getoutput("df")
      
      utility.writeFile(tmpFilename2, result+result2+result3)
      # ...feed these results into GPG?... 

      if debug: print "w",

   # tidy up: remove the temporary files
   os.remove(tmpFilename2)
   os.remove(tmpFilename)  

#---------------------------------------------------------------------

When I execute this, I get this output from gpg:

------------------ begin --------------------
gpg: Warning: using insecure memory!                                                    
gpg: /home/philh/.herbivore/secret_keys.gpg: keyring created                            
gpg: /home/philh/.herbivore/public_keys.gpg: keyring created                            
+++++.+++++++++++++++..+++++++++++++++++++++++++++++++w !! gpgProcess.poll() => -1, 
continuing...                                                                               
++++++++++++++.+++++.+++++++++++++++++++++++++w !! gpgProcess.poll() => -1, 
continuing...  
.++++++++++++++++++++++++++++++.+++++>.+++++w !! gpgProcess.poll() => -1, continuing... 
.w !! gpgProcess.poll() => -1, continuing...                                            
..w !! gpgProcess.poll() => -1, continuing...   
(etc)
------------------- cut ---------------------

Note that it says it's creating the keyring files before the keypair
is computed -- this seems wrong to me.

On exit, when I try to view what's in the keyring files, gpg complains
thus:

------------------ begin --------------------                         
philh:~/.herbivore> gpg --list-sig --keyring 
~/.herbivore/public_keys.gpg gpg: Warning: using insecure memory!
gpg: [don't know]: invalid packet (ctb=2d) near 1
gpg: read_keyblock: read error: invalid packet
gpg: enum_keyblocks(read) failed: invalid keyring 
------------------- cut ---------------------

So, I have two questions:

(1) how do I get GnuPG to generate keypairs as a batch process?

(2) Should I be using GnuPG at all? I don't need its key management
facilities -- I can use a serialised Python data structure for that --
and I find it overcomplex to use programmatically. Is there a better 
solution? What I need is software that can generate keypairs
(using an unencumbered algorithm such as ElGamal), and can encrypt
and decrypt using those keys, and make/test signatures using
the keys. Is there anything which does this (either a Python
program, or something accessible from the command line)?


-- 
## Philip Hunt ## philh at comuno.freeserve.co.uk ##

More information about the Python-list mailing list