Page MenuHomePhabricator
Create Task
Maniphest T109542

Create GPG wrapper library
Closed, ResolvedPublic
Actions

Description

From T12453:

create a standalone library (which can be reused by the extensions consuming the GPG keys) for one more level of wrapping, either around the PECL library or the command-line gpg tool directly. Unfortunately both of those require using a keyring. We probably don't want to leave around public keys (which might be secret) in /var/www/.gnupg/pubring.gpg of random machines; we also don't want to break other extensions using GPG by permanently changing the home directory. So we need to do something like: create temp dir -> set GNUPGHOME environment variable to temp dir -> run GPG commands -> reset GNUPGHOME and delete temp dir (use a scoped callback or something similar to make sure this happens). This kind of sucks but should be doable.

Related Objects
Search...

StatusSubtypeAssignedTask
 OpenNoneT12453 Encrypt emails with GnuPG (GPG)
 ResolvedTgrT109542 Create GPG wrapper library

Event Timeline

Tgr created this task.Aug 19 2015, 12:48 AM
Tgr raised the priority of this task from to Needs Triage.
Tgr updated the task description. (Show Details)
Tgr added a project: MediaWiki-Email.
Tgr subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 19 2015, 12:48 AM
Tgr added a parent task: T12453: Encrypt emails with GnuPG (GPG).Aug 19 2015, 12:48 AM
Dzahn subscribed.Aug 19 2015, 12:52 AM

We probably don't want to leave around public keys (which might be secret)

Public keys that might be secret??

Tgr added a comment.Aug 19 2015, 1:14 AM

The idea was (since then I dropped it) that if we keep the user's public key secret, it can serve as a proof that the email came from Wikimedia (since no one else knows the key). But it doesn't have any advantage over just having a Wikimedia secret key for signing.

Even so, I don't like the idea of using a permanent keyring file, to which keys are randomly added whenever we need to encrypt for another user. That sounds like debugging hell.

Legoktm subscribed.Aug 19 2015, 8:12 AM
jmillican subscribed.Aug 20 2015, 5:19 PM
Tgr added a comment.Aug 29 2015, 12:40 AM

There is also a PEAR package called Crypt_GPG which could be an alternative to PECL.

Tgr closed this task as Resolved.Sep 27 2015, 5:30 AM
Tgr claimed this task.

https://github.com/tgr/php-gpglib

Legoktm added a project: Librarization.Sep 27 2015, 5:59 AM
Legoktm set Security to None.
Tgr added a comment.Sep 28 2015, 12:37 AM

See T113921 for ownership transfer.

bd808 moved this task from Untriaged to Done on the Librarization board.Oct 8 2015, 12:35 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits