gpgrv
gpgrv
is a Rust library for verifying some types of GPG signatures.
use ;
Supports
- Verifying signatures:
RSA
SHA1
andSHA2
(SHA-256
,SHA-512
).
- Signed "inline" messages, and detached signatures.
- Armoured and unarmoured/binary.
- Compression wrappers (added by
gpg
for most messages) - Loading old-style keyrings (i.e. not keybox files)
Advantages
- Entirely safe Rust, no native code. Easy to build and portable.
- MIT (or Apache2, or whatever!) licensed, not LGPL.
- Simple, Rust-style API on streams (
Read
/Write
).
Disadvantages
- A tiny amount of custom, low-risk crypto code. However, any crypto code can be wrong.
- Limited, but growing, support for key and data formats.
- (Intentionally) not constant time: Cannot be used for certain crypto applications. This is less important for signature verification with public keys.
Alternatives
gpgme
(LGPL) - bindings for native code, verbose APIrpgp
(MIT/Apache2) - serious implementation of plenty ofpgp
sequoia-openpgp
(GPLv3) - serious implementation of plenty ofpgp
I was using the the gpgme
API, which works, but the API is painful,
and the linking/requirements are complicated.
sequoia
's license is wrong.
rpgp
has too many features, although it does seem to be nicely split into crates.
Minimum Supported Rust Version (MSRV)
1.36.0
(Jul 2019) (required by generic-array
) is pinned in Travis.
MSRV bumps are some kind of semver bump, to be decided for 1.0.0
.
License
Licensed under either of
- Apache License, Version 2.0
- MIT license
at your option.
Contribution
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.