GnuPGP Encryption integration / API

[fpietrosanti]

Many apaf application may need to use GPG encryption and signature verification for many purposes:

• verification of signature of downloaded files
• encryption of data

Due to the cross-platform nature of APAF, it must provide gpg functionality for OSX and Windows.

The API to be provided to APAF application must initially just support:

• encrypt data
• verify signature
• import pgp public keys

It's out of scope the handling of PGP private keys and/or signing is provided to keep off keychain management functionalities, making the API support stateless (no need to manage keyring databases, leaving to application logic the duty to provide keys for encryption).

This API will be initially only used by:

• 12 API to send email securely

• 2 Automate Apaf dependancy installation (to check fingerprints of software)

[fpietrosanti]

Please notes that to implement this feature it will be required to:

• download gpg binaries for the right platform within the apaf build system

[vecna]

import public key and handle private one, can be done also in a separated keyring, in example, a fixed name like "apaf-pubring" or "apaf-secring" (if not configured differently), but can't be out of scope handling keys.

maybe important, during the implementation, take a look of all the not documented --long-options present in gnupg code, because they export a lot of low level controls.

need to be remember that keyserver query has to be performed with the long ID (64bit almost, or the entire fingerprint), instead of the 32bit ID.

Apaf by the way, export "high level function" being a framework. The coolest thing I see, having GPG embedded on it, can be the export at applicative layer of the web of trust (http://en.wikipedia.org/wiki/Web_of_trust), usually checked my hand command or by visual tools like: http://pgp.cs.uu.nl/doc/faq.html

permitting to the application in select trustwhorty peer using the WOT logic, can be a safe base to develop applications that can't relay on a trusted authority.

[vecna]

I get it, maybe I've gone out of scope, initially the keys is expected are managed by the application instead of the framework, and the keyring used can be just a temporary keyring.

this link the requirement to another (optional) issue: supports for different OSs ramdisks, where APAF can store temporary files ?