i wrote simple cross-platform utility verify gpg signatures using gpgme. gpgme doesn't work on windows , on other platforms (e.g. osx) requires gnupg command line utilities installed pretty heavy dependency. looked other openpgp libraries such netgpg these less portable (it has build mingw-w64).
would possible implement standalone tool verify gpg signature using standard libraries openssl , zlib? understand openpgp consists of standard ciphers , hash functions. part makes difficult there no c libraries out there this?
openssl not implement openpgp format , not compatible. use openpgp implementation gnupg, bouncycastle (framework available java/c#) or others (openpgp.js javascript, , there's go library).
while openpgp uses standard cryptographic digest , encryption algorithms, has different message format , uses own cfb mode variant. you'd have implement both parser openpgp message format , compatible openpgp cfb mode (if want support encryption), , pass results openssl actual cryptography.
finally, supporting whole web of trust concept including full openpgp specification broad task , has variety of issues consider ([1], [2], ...). in unix world, people seem happy enough gnupg , gpgme, tested , analyzed advanced security issues (for example, this side channel attack). new implementations vulnerable similar problems solved gnupg.
Comments
Post a Comment