PGP / GPG签名的Python代码 [英] PGP/GPG Signed Python code

问题描述

我想（PGP / GPG）签署python代码。是的，我已阅读此以及许多其他讨论的网站保护和混淆 python代码 - 这一切都不我想要的。我不想混淆代码。
我希望客户和用户能够看到代码，他们可以修改代码，复制代码并进行衍生工作，我希望将软件置于GPLv3下。
但是我想拥有已签名的插件，因此在执行期间它们可以是可信任的。

I'd like to (PGP/GPG) sign python code. Yes, I have read this and many other sites that talk about protecting and obfuscating python code - this all is not what I want. I DON'T want to obfuscate code. I want customers and users to see the code, they could modify code, copy it and make derivative work, I'd like to have the software under the GPLv3. But I want to have plugins that are "signed", so they can be kind of trusted during execution.

这是可能在Python？检查gpg签名后我可以导入库吗？
什么是容易的：检查文件的gpg签名，然后通过导入加载，否则引发异常。但这只适用于单文件导入，而不是目录python模块。

Is this possible in Python? Can I import a library after checking its gpg signing? What would be easy: check the gpg signing of a file, and then load it via import, else raise an exception. But this only would be possible for single-file-imports, not directory python modules.

很明显，如果客户更改了程序中的GPG密钥，或者在检查算法中自己删除了一些行，一切都消失了 - 但这不是问题。
他可以做任何他想做的事 - 但这很愚蠢。
他想要的是值得信赖。
我想让他通过将其复制到插件目录中来添加第三方插件，并让程序检查插件的可信度 - 然后导入它。
（所以他可以运行不签名的插件，但风险自负。）

It is clear that, if the customer changes the GPG key in the program, or deletes some lines himself in the checking algorithm, all is gone - but this is not the problem. He could do anything he wants - but this would be silly. What he wants is trustworthiness. I want to let him add a third party plugin by copying it into a "plugins" directory, and have the program check the plugin for "trustworthiness" - and then import it. (So he could run plugins that are not signed, but with his own risk.)

推荐答案

Python的 import 机制已经提供了实现您想要的所有必要工具。您可以安装不同类型的 import hooks 以支持你想要的东西。

Python's import mechanism already provide all the tools necessary to achieve what you want. You can install different kinds of import hooks in order to support what you want.

特别是你可能会发现安装元路径挂钩，搜索已签名模块并返回 Loader 能够执行导入来自这种签名格式。

In particular you'll probably find convenient to install a meta path hook that searches for "signed modules" and returns a Loader that is able to perform the imports from this signed format.

签名插件的一种非常简单方便的格式是 zip 存档包含：

A very simple and convenient format for your signed plug-ins would be a zip archive containing:

1. 模块/包形式的插件代码


2. A上述代码的PGP签名

这样：

• 您的装载机应打开拉链包装，并检查签名。如果它匹配，那么你可以安全地加载插件，如果它不匹配你应该让用户信任插件（或不插入和中止）


• 如果用户想要修改插件，只需解压缩 zip 存档并按照自己的意愿修改它。


• 从<$ c导入$ c> zip 档案已在 <$ c $中实施c> zipimport 模块。这意味着您不必从头开始重写加载器。

• Your loader should unpack the zip, and check the signature. If it matches then you can safely load the plug-in, if it doesn't match you should ask the user to trust the plug-in (or not and abort)
• If the user wants to modify the plug-in it can simply unpack the zip archive and modify it as he wishes.
• Imports from zip archives are already implemented in the zipimport module. This means that you don't have to rewrite a loader from scratch.

实际上，如果您想将钩子的代码减少到您只需要验证签名，然后将 zip 存档的路径添加到 sys.path 中因为即使没有明确使用 zipimport ，python也已经处理了从 zip 归档的导入。

Actually if you want to reduce the code for the hooks to the minimum you'd simply need to verify the signature and then add the path to the zip archive into sys.path, since python already handles imports from zip archive even without explicitly using zipimport.

使用这种设计你只需要安装这些钩子然后你就可以导入插件就好像它们是普通的模块一样，验证等等都会自动完成。

Using this design you just have to install these hooks and then you can import the plug-in as if they were normal modules and the verification etc. will be done automatically.

这篇关于PGP / GPG签名的Python代码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！