如何在托管在 GitHub 上的 Python 脚本中保密开发人员密钥 [英] How to keep a developer key secret in a Python script that is hosted on GitHub
问题描述
我正在开发一个开源的 Python 驱动的 Twitter 客户端,为了访问 Twitter API 并使用 OAuth 登录,我已经在 Twitter 上注册了我的客户端,他们给了我一个唯一的消费者密钥和消费者令牌(此后称为作为开发人员密钥").这些对我的客户来说是独一无二的,我客户的所有副本都必须使用相同的开发人员密钥.现在,我必须在 Python 脚本 (main.py) 中使用开发人员密钥,因为它是一个脚本,所以没有二进制文件.此外,我必须将代码上传到 GitHub,因为我在 GitHub 上使用 git 进行内容跟踪.如何保密我的开发人员密钥?请记住,我计划向用户分发相同的客户端.
I am developing an open source Python-powered Twitter client, and to access the Twitter API and login using OAuth, I have registered my client with Twitter and they have given me a unique consumer key and consumer token (henceforth to be referred to as "developer key"). These are unique to my client, and all copies of my client have to use the same developer key. Now, I have to use the developer key in a Python script (main.py) and since it is a script, there is no binary. Also, I have to upload my code to GitHub since I am using git on GitHub for content tracking. How do I keep my developer key secret? Please keep in mind that I plan to distribute the same client to users.
密钥环似乎是最好的选择,但我想要一种只有应用程序可以访问密钥环的方法,甚至不能访问其用户(在应用程序之外).没有人应该能够通过查看我的代码来弄清楚如何访问密钥环.
A keyring seems the best option, but I want a way that only the application can access the keyring, not even its users (outside the application). And nobody should be able to figure out how to access the keyring by looking at my code.
注意:要使用 Twitter API,您必须做的第一件事是注册一个客户端应用程序.您注册的每个客户端应用程序都将被提供一个消费者密钥和秘密.这个密钥和秘密方案类似于公共和ssh 等协议中使用的私钥,供熟悉的人使用.此密钥和秘密将与您选择的编程语言中的 OAuth 库结合使用,对您向 API 发出的每个请求进行签名.正是通过此签名我们相信识别自己是您的流量实际上就是您的过程."- http://dev.twitter.com/pages/auth
Note: "To use the Twitter API, the first thing you have to do is register a client application. Each client application you register will be provisioned a consumer key and secret. This key and secret scheme is similar to the public and private keys used in protocols such as ssh for those who are familiar. This key and secret will be used, in conjunction with an OAuth library in your programming language of choice, to sign every request you make to the API. It is through this signing process that we trust that the traffic that identifies itself is you is in fact you." - http://dev.twitter.com/pages/auth
推荐答案
扩展 Apalala 的回答,我相信它的意思是代理"网络服务.人们向您发送他们的请求,您代表他们签署并发送到 Twitter,当然,一旦他们允许您的应用程序访问.
Extending on Apalala's answer, I believe what is meant is a 'proxy' web service. People send you their requests and you sign it on their behalf and send it to twitter, once they allow your application access of course.
您不必担心人们向您发送垃圾邮件,因为他们无论如何都必须登录 Twitter 才能使用它.
You don't have to worry about people spamming you because they will have to log in to twitter anyway to use it.
与其他任何地方一样,唯一的问题是我如何信任您的应用程序以首先允许它:)
Only problem, like anywhere else, is how do I trust your application enough to allow it in the first place :)
这篇关于如何在托管在 GitHub 上的 Python 脚本中保密开发人员密钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
