gpgmeh 0.1.5

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 18ad47927216f1fc2f0198efac0bee249bd14c10
+  data.tar.gz: 445dc578d888ef956021084712d8aa5e62147388
+SHA512:
+  metadata.gz: 0ae6b61433e1c7031cdc3d114d87270161226ae366e313f3e8455692160abd3c8553789a4d04cc0741e639c311bc2348d02b61ac214534a969f0cf661d1bab9b
+  data.tar.gz: f7d397aa7cd1de1c50bbf155de91c529fdf4bcfab78e50e21e670392ce4f19714b6e3ca541d6cf234d8a2f760ada644102e759ec72e8106625880ba098e85e29

data/.gitignore

@@ -0,0 +1,11 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+spec/support/rickhardslab/random_seed
+spec/support/spacemanspiff/random_seed

data/.rspec

@@ -0,0 +1,2 @@
+--format documentation
+--color

data/.rubocop.yml

@@ -0,0 +1,48 @@
+AllCops:
+  DisplayCopNames: true
+  TargetRubyVersion: 2.4
+  Exclude:
+    - 'bin/*'
+    - 'spec/support/**/*'
+
+ClassLength:
+  Max: 300
+
+LineLength:
+  Max: 128
+
+MethodLength:
+  Max: 40
+
+Encoding:
+  Enabled: false
+
+Lint/RescueWithoutErrorClass:
+  Enabled: false
+
+Metrics/AbcSize:
+  Max: 70
+
+Metrics/BlockLength:
+  Enabled: false
+
+Metrics/CyclomaticComplexity:
+  Max: 25
+
+Metrics/PerceivedComplexity:
+  Max: 25
+
+Metrics/ParameterLists:
+  Enabled: false
+
+Style/AlignParameters:
+  Enabled: false
+
+Style/Documentation:
+  Enabled: false
+
+Style/EmptyLiteral:
+  Enabled: False
+
+Style/StringLiterals:
+  Enabled: false

data/.travis.yml

@@ -0,0 +1,5 @@
+language: ruby
+rvm:
+  - 2.3.5
+  - 2.4.2
+sudo: false

data/BUG-BOUNTY.md

@@ -0,0 +1,9 @@
+Serious about security
+======================
+
+Square recognizes the important contributions the security research community
+can make. We therefore encourage reporting security issues with the code
+contained in this repository.
+
+If you believe you have discovered a security vulnerability, please follow the
+guidelines at https://hackerone.com/square-open-source

data/CHANGELOG.md

@@ -0,0 +1,5 @@
+# Changelog
+
+## 0.1.5 / 2017-11-21
+
+* Update NIO version requirement

data/Gemfile

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in gpgmeh.gemspec
+gemspec
+
+gem "pry"
+gem "rake"
+gem "rspec", "~> 3.7"
+gem "rubocop", "0.51.0"
+
+platform :ruby do
+  gem "pry-byebug"
+end

data/LICENSE.txt

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

data/README.md

@@ -0,0 +1,255 @@
+# GPGMeh: GPG Made Even _HARDER_!
+
+[![Build Status](https://travis-ci.org/square/gpgmeh.svg?branch=master)](https://travis-ci.org/square/gpgmeh)
+
+## Why?
+
+GPG can be complicated: this gem is just a high level wrapper around `gpg`.
+GPGME also provides a nice API on top of GPG, but it has two drawbacks: it is
+not thread safe and it holds the GIL when shelling out to `gpg`. This holds up
+the entire ruby process for the duration of the GPG call, which can be
+relatively slow.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'gpgmeh'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install gpgmeh
+
+## Usage
+
+### Default Configuration
+
+```ruby
+GPGMeh.default_cmd = "gpg" # first gpg found in your $PATH
+GPGMeh.default_args = ["--armor", "--trust-model", "always"]` # --no-tty` and `--quiet` are always added to the argument list
+GPGMeh.timeout_sec = 0.2 # wait up to 200ms for gpg to finish
+```
+
+### Troubleshooting your Configuration
+
+Make sure `GPGMeh.default_cmd` uses `gpg`, *not* `gpg2`. If you get any of the following errors, check your `gpg` version.
+
+`gpg2` has a slightly different format for `--list-keys --with-colons`:
+
+```
+lib/gpgmeh/key.rb:74:in `rescue in creation_date=': invalid date="1454695279" (GPGMeh::Key::ParseError)
+```
+
+`gpg2` may have trouble starting the agent:
+
+```
+command get_passphrase failed: Inappropriate ioctl for device
+```
+
+
+### Public Key Encryption: Rick wants to encrypt and sign something for Spiff
+
+```ruby
+# 7CAAAB91 is Spaceman Spiff's public key id; multiple recipients can be specified
+GPGMeh.encrypt("boom", ["7CAAAB91"]) do |key_id|
+  # This is the passphrase callback. The argument is Rick's secret key id.
+  # Return value: the secret keyring passphrase
+  "rick's-secret-keyring-passphrase"
+end
+```
+
+### Public Key Decryption: Spiff wants to decrypt something from Rick
+
+```ruby
+encrypted_message = <<EOM
+-----BEGIN PGP MESSAGE-----
+Version: GnuPG v1
+
+hQEMA5IgSfURq0FaAQf/TxrcB0EeC5XpEwVyjaKoMNR7d2PZFBLQL9wX81jEIPIN
+0tsq7/OSj/bZF1p9gkQ9YN+wzvS+1pLlPo1T/GNGrt6ay+ml4mOjezACfrQ+EBB+
+ay5XrDbwemAW/tqLMkJMrx28dt8fkNlXv+uzPKpQI5cubBcDyoD/E53rqyybjt+D
+pqA9bZ3OORqWHPBZy50eaTs/tyVgBpfXsgcTfbwSedSNnLXxdB0p2pKgPjeAYlCm
+DGzxIRSSZjHSBieDm6ZUv/tcplXqrzQxZT/0rhneoG5FK+0g5sayEPQKozdVdFM3
+B4a2jzcDbhkNEZ2HV2VVmRp2HHaFRFftuPeoECQGjckoxTo5u9K6cnOymDbf2lN0
+/0Jec1LUDWLYUtzNonBpPdlUIxlllT6Q0Q==
+=ANji
+-----END PGP MESSAGE-----
+EOM
+GPGMeh.decrypt(encrypted_message) do |key_id|
+  # This is the passphrase callback. The argument is Spiff's secret sub key id
+  # that Rick used to encypt the message.
+  # Return value: the secret keyring passphrase
+  "spiff's-secret-keyring-passphrase"
+end
+```
+
+### Symmetric Encryption: Rick wants to symmetrically encrypt and sign a message
+
+```ruby
+GPGMeh.encrypt_symmetric("boom") do |key_id|
+  # This is the passphrase callback. The argument is Rick's secret key id OR :symmetric
+  if key_id == :symmetric
+    "the-symmetric-passphrase"
+  else
+    "rick's-secret-keyring-passphrase"
+  end
+end
+```
+
+### Override default configuration
+
+```ruby
+# 7CAAAB91 is Spaceman Spiff's public key id; multiple recipients can be specified
+GPGMeh.encrypt(
+  "boom",
+  ["7CAAAB91"],
+  gpg_options: {
+    cmd: "/usr/local/bin/gpg",
+    homedir: "/tmp/.gnupg",
+    timeout_sec: 10
+  }
+) do |key_id|
+  # This is the passphrase callback. The argument is Rick's secret key id.
+  # Return value: the secret keyring passphrase
+  "rick's-secret-keyring-passphrase"
+end
+```
+
+## GPG documentation
+
+The gpg 1.4
+[docs](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=doc/DETAILS;hb=refs/heads/STABLE-BRANCH-1-4)
+describe the key types and status-fd output format.
+
+## GPG setup (this was done to setup the tests, here for posterity)
+
+Generate key for Rick Hardslab
+
+```
+gpg --homedir spec/support/rickhardslab --gen-key
+```
+
+Generate key for Spaceman Spiff
+
+```
+gpg --homedir spec/support/spacemanspiff --gen-key
+```
+
+Rick Hardslab imports Spaceman Spiff's public key
+
+```
+gpg --homedir spec/support/rickhardslab --import spacemanspiff/pubring.gpg
+```
+
+Rick Hardslab trusts Spaceman Spiff's public key
+
+```
+gpg --homedir spec/support/spacemanspiff --export-ownertrust | gpg --homedir spec/support/rickhardslab --import-ownertrust
+```
+
+Spaceman Spiff imports Rick Hardslab's public key
+
+```
+gpg --homedir spec/support/spacemanspiff --import rickhardslab/pubring.gpg
+```
+
+Spaceman Spiff trusts Rick Hardslab's public key
+
+```
+gpg --homedir spec/support/rickhardslab --export-ownertrust | gpg --homedir spec/support/spacemanspiff --import-ownertrust
+```
+
+Edit Rick's Key so a "uid" record exists for the tests to ignore ;)
+
+```
+gpg --homedir spec/support/rickhardslab/ --edit-key 7A9910E0243D6FEB
+# Edit the fields and "save" to exit
+```
+
+Rick Hardslab's keys
+
+```
+% gpg --homedir spec/support/rickhardslab/ -k
+rickhardslab/pubring.gpg
+------------------------
+pub   2048R/243D6FEB 2016-01-18
+uid                  Richard Hardslab (The Real Rick) <richard@example.com>
+uid                  Rick Hardslab <rick@example.com>
+sub   2048R/7FCAE6B3 2016-01-18
+
+pub   2048R/7CAAAB91 2016-01-18
+uid                  Spaceman Spiff <spiff@example.com>
+sub   2048R/11AB415A 2016-01-18
+
+% gpg --homedir spec/support/rickhardslab -K
+rickhardslab/secring.gpg
+------------------------
+sec   2048R/243D6FEB 2016-01-18
+uid                  Rick Hardslab <rick@example.com>
+uid                  Richard Hardslab (The Real Rick) <richard@example.com>
+ssb   2048R/7FCAE6B3 2016-01-18
+```
+
+Spaceman Spiff's keys
+
+```
+% gpg --homedir spec/support/spacemanspiff -K
+spacemanspiff/secring.gpg
+-------------------------
+sec   2048R/7CAAAB91 2016-01-18
+uid                  Spaceman Spiff <spiff@example.com>
+ssb   2048R/11AB415A 2016-01-18
+
+% gpg --homedir spec/support/spacemanspiff -k
+spacemanspiff/pubring.gpg
+-------------------------
+pub   2048R/7CAAAB91 2016-01-18
+uid                  Spaceman Spiff <spiff@example.com>
+sub   2048R/11AB415A 2016-01-18
+```
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run
+`bundle exec rake` to run the tests. You can also run `bin/console` for an
+interactive prompt that will allow you to experiment. If lots of tests fail,
+check you are using the correct version of gpg. You can specify the `gpg`
+binary with: `GPG=gpg1 bundle exec rake`.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To
+release a new version, update the version number in `version.rb`, and then run
+`bundle exec rake release`, which will create a git tag for the version, push
+git commits and tags, and push the `.gem` file to
+[rubygems.org](https://rubygems.org).
+
+## Contributing
+
+We always welcome bug reports, on [GitHub's issue tracker](https://github.com/square/gpgmeh/issues).
+
+If you would like to contribute code to GPGMeh, thank you! You can do so
+through [GitHub](https://github.com/square/gpgmeh) by forking the repository and sending a [pull request](https://github.com/square/gpgmeh/pulls). However,
+before your code can be accepted into the project we need you to sign Square's
+(super simple) [Individual Contributor License Agreement
+(CLA)](https://spreadsheets.google.com/spreadsheet/viewform?formkey=dDViT2xzUHAwRkI3X3k5Z0lQM091OGc6MQ&ndplr=1)
+
+## License
+
+    Copyright 2016 Square, Inc.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.

data/Rakefile

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+require "rubocop/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+RuboCop::RakeTask.new
+
+task default: %i[spec rubocop]

data/bin/console

@@ -0,0 +1,7 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "gpgmeh"
+
+ require "pry"
+ Pry.start

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/gpgmeh.gemspec

@@ -0,0 +1,24 @@
+# coding: utf-8
+# frozen_string_literal: true
+
+lib = File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "gpgmeh/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "gpgmeh"
+  spec.version       = GPGMeh::VERSION
+  spec.authors       = ["Andrew Lazarus"]
+  spec.email         = ["lazarus@squareup.com"]
+
+  spec.summary       = "GPG Made Even (Happier|Hipper|Harder?)"
+  spec.homepage      = "https://github.com/square/gpgmeh"
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "activesupport", ">= 2.3"
+  spec.add_dependency "nio4r", "~> 2"
+end

data/lib/gpgmeh/key.rb

@@ -0,0 +1,96 @@
+# frozen_string_literal: true
+
+require "date"
+require "set"
+
+class GPGMeh
+  class Key
+    class ParseError < ::GPGMeh::Error; end
+
+    # See README.md for link to gpg documentation on key types
+    TYPES = {
+      "pub" => "public key",
+      "crt" => "X.509 certificate",
+      "crs" => "X.509 certificate and private key available",
+      "sub" => "subkey",
+      "sec" => "secret key",
+      "ssb" => "secret subkey",
+      "uid" => "user id",
+      "uat" => "user attribute",
+      "sig" => "signature",
+      "rev" => "revocation signature",
+      "fpr" => "fingerprint",
+      "pkd" => "public key data",
+      "grp" => "reserved for gpgsm",
+      "rvk" => "revocation key",
+      "tru" => "trust database information",
+      "spk" => "signature subpacket"
+    }.freeze
+
+    TYPES_THAT_MATTER = TYPES.values_at('pub', 'sub', 'sec', 'ssb', 'rvk').to_set.freeze
+
+    TRUSTS = {
+      "o" => "other",
+      "i" => "invalid",
+      "d" => "disabled",
+      "r" => "revoked",
+      "e" => "expired",
+      "n" => "none",
+      "m" => "marginal",
+      "f" => "fully",
+      "u" => "ultimately",
+      "-" => "unknown",
+      "q" => "unknown"
+    }.freeze
+
+    CAPABILITIES = {
+      "e" => "encrypt",
+      "s" => "sign",
+      "c" => "certify",
+      "a" => "authentication",
+      "d" => "disabled"
+    }.freeze
+
+    def self.parse(raw_keys)
+      raw_keys.split("\n").map do |raw_key|
+        fields = raw_key.split(":", 13)
+        key = new
+        key.type = fields[0]
+        next unless TYPES_THAT_MATTER.include?(key.type)
+        key.trust = fields[1]
+        key.key_length = fields[2].to_i
+        key.key_id = fields[4]
+        key.creation_date = fields[5]
+        key.name = fields[9]
+        key.capabilities = fields[11]
+        key
+      end.compact
+    end
+
+    attr_accessor :key_length, :key_id, :name
+    attr_reader :type, :trust, :capabilities, :creation_date
+
+    def creation_date=(s)
+      @creation_date = Date.parse(s)
+    rescue ArgumentError => e
+      msg = "#{e.message}=#{s.inspect}"
+      msg += ", gpg2 uses a different date format, are you using gpg2 instead of gpg1?" if s.to_i.to_s == s
+      raise ParseError, msg
+    end
+
+    def type=(s)
+      @type = TYPES[s] || raise(ParseError, "unkown key type=#{s.inspect}")
+    end
+
+    def trust=(s)
+      @trust = TRUSTS[s] || raise(ParseError, "unkown trust=#{s.inspect}") unless s.empty?
+    end
+
+    def capabilities=(s)
+      @capabilities = s.split("").map do |letter|
+        CAPABILITIES[letter.downcase] ||
+          raise(ParseError, "unkown capability=#{letter.inspect} capabilities=#{s.inspect}")
+      end.to_set
+    end
+  end
+end

data/lib/gpgmeh/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+class GPGMeh
+  VERSION = "0.1.5"
+end

data/lib/gpgmeh.rb

@@ -0,0 +1,366 @@
+# frozen_string_literal: true
+
+require "active_support/core_ext/object/blank"
+require "active_support/core_ext/object/try"
+require "nio"
+require "open3"
+
+class GPGMeh
+  class Error < StandardError; end
+  class TimeoutError < Error; end
+  class NoPassphraseError < Error; end
+end
+
+require "gpgmeh/key"
+require "gpgmeh/version"
+
+class GPGMeh
+  # Encrypt message using public key encryption for the `recipients`
+  #
+  # @param plaintext [String] bytes to be encrypted with the recipient(s)'
+  #   public key; each recipient's secret key must be used to decrypt the message
+  # @param recipients [String] or [Array<String>] list of public key id's
+  # @param gpg_options [Hash<Symbol, String>] gpg options, valid keys: cmd, args, homedir, timeout_sec
+  #   cmd: gpg command to execute, default=gpg
+  #   args: command line arguments for gpg, default=%w(--armor --trust-model always)
+  #     (note: --no-tty and --quiet are always added)
+  #   homedir: custom homedir for gpg (passes --homedir argument to gpg)
+  #   timeout_sec: timeout for gpg command, default=0.2
+  # @param sign [bool] should the encrypted message be signed? Requires `passphrase_callback`. [default=true]
+  # @param passphrase_callback [callable] or [block] callable that returns the secret keyring passphrase,
+  #   only required when signing; the callable takes an 8 character string argument (short format key id)
+  #
+  # @return [String] encrypted message
+  #
+  # Example:
+  #
+  #   GPGMeh.encrypt("boom", "ABC123DE") do |secret_key_id|
+  #     if secret_key_id == "123ABC45"
+  #       "secret_keyring1_passphrase"
+  #     else
+  #       "secret_keyring2_passphrase"
+  #     end
+  #   end
+  #
+  def self.encrypt(plaintext, recipients, gpg_options: {}, sign: true, passphrase_callback: nil, &block)
+    raise ArgumentError, "passphrase callback required to sign" if sign && (passphrase_callback || block).nil?
+    raise ArgumentError, "recipient(s) required" if recipients.empty?
+    unless recipients.all? { |key_id| /^[A-Za-z0-9]+$/ =~ key_id }
+      raise ArgumentError, "recipient key ids must all be alphanumeric strings"
+    end
+    t = Time.now
+    new(gpg_options).encrypt(plaintext, recipients, sign: sign, passphrase_callback: passphrase_callback || block)
+  ensure
+    logger.debug(format("GPGMeh: encryption time=%.3fs", Time.now - t)) if t
+  end
+
+  # Decrypt public key encrypted message using secret keyring
+  #
+  # @param encrypted_blob [String] encrypted blob to decrypt
+  # @param gpg_options (@see #GPGMeh.encrypt)
+  # @param passphrase_callback (@see #GPGMeh.encrypt)
+  #
+  # @return [String] encrypted message
+  def self.decrypt(encrypted_blob, gpg_options: {}, passphrase_callback: nil, &block)
+    raise ArgumentError, "passphrase callback required" if (passphrase_callback || block).nil?
+    t = Time.now
+    new(gpg_options).decrypt(encrypted_blob, passphrase_callback || block)
+  ensure
+    logger.debug(format("GPGMeh: decryption time=%.3fs", Time.now - t)) if t
+  end
+
+  # Encrypt message using a symmetric passphrase
+  #
+  # @param plaintext (@see #GPGMeh.encrypt)
+  # @param gpg_options (@see #GPGMeh.encrypt)
+  # @param sign (@see #GPGMeh.encrypt)
+  # @param passphrase_callback [callable] or [block] callable that returns passphrases:
+  #   `callable.call(:symmetric)` # => the symmetric passphrase (required)
+  #   `callable.call(<short format secret key id>)` # => the secret keyring passphrase
+  #     (optional, only used when signing)
+  #
+  # Example:
+  #
+  #   GPGMeh.encrypt_symmetric("boom") do |secret_key_id|
+  #     if secret_key_id == :symmetric
+  #       "my-symmetric-secret"
+  #     elsif secret_key_id == "123ABC45"
+  #       "secret_keyring1_passphrase"
+  #     else
+  #       "secret_keyring2_passphrase"
+  #     end
+  #   end
+  #
+  # @return [String] encrypted message
+  def self.encrypt_symmetric(
+    plaintext,
+    gpg_options: {},
+    sign: true,
+    passphrase_callback: nil,
+    &block
+  )
+    t = Time.now
+    new(gpg_options).encrypt_symmetric(
+      plaintext,
+      sign: sign,
+      passphrase_callback: passphrase_callback || block
+    )
+  ensure
+    logger.debug(format("GPGMeh: symmetric encryption time=%.3fs", Time.now - t)) if t
+  end
+
+  def self.public_keys(gpg_options: {})
+    new(gpg_options).public_keys
+  end
+
+  def self.secret_keys(gpg_options: {})
+    new(gpg_options).secret_keys
+  end
+
+  def self.version(gpg_options: {})
+    new(gpg_options).version
+  end
+
+  class << self
+    attr_accessor :default_cmd, :default_args, :default_homedir, :timeout_sec
+    attr_writer :logger
+  end
+  self.default_cmd = "gpg"
+  self.default_args = %w[--armor --trust-model always].freeze
+  self.timeout_sec = 0.2
+
+  def self.logger
+    return @logger if defined?(@logger)
+    require "logger"
+    @logger = Logger.new(STDERR)
+  end
+
+  def initialize(
+    cmd: self.class.default_cmd,
+    args: self.class.default_args,
+    homedir: self.class.default_homedir,
+    timeout_sec: self.class.timeout_sec
+  )
+    @gpg_cmd = cmd
+    @gpg_args = args
+    @gpg_args += ["--homedir", homedir] if homedir
+    @deadline = Time.now + timeout_sec
+    @stdout_buffer = +""
+    @stderr_buffer = +""
+    @status_r_buffer = +""
+  end
+  private_class_method :new
+
+  private
+
+  attr_reader :gpg_cmd,
+    :gpg_args,
+    :status_r,
+    :command_w,
+    :stdin,
+    :stdout,
+    :stderr,
+    :stdout_buffer,
+    :stderr_buffer,
+    :status_r_buffer,
+    :stdin_monitor,
+    :stdout_monitor,
+    :stderr_monitor,
+    :status_r_monitor,
+    :input,
+    :callback,
+    :wait_thread
+
+  def start(extra_args, input = nil, callback = nil)
+    setup_gpg_process(extra_args, input, callback)
+
+    runloop
+
+    unless stderr_buffer.empty?
+      self.class.logger.warn { "GPGMeh: gpg stderr=#{stderr_buffer.inspect}" }
+    end
+
+    # wait on thread completion until the deadline
+    wait = @deadline - Time.now
+    raise TimeoutError if wait <= 0 || wait_thread.join(wait).nil?
+
+    raise Error, "gpg non-zero exit status=#{wait_thread.value}" unless wait_thread.value.try(:success?)
+
+    stdout_buffer
+  rescue => e
+    self.class.logger.error do
+      "GPGMeh: error=#{e.inspect} backtrace=#{e.backtrace[0..20].inspect} stderr=#{stderr_buffer.inspect}"
+    end
+    raise
+  ensure
+    begin
+      Process.kill(:SIGINT, wait_thread.pid) if wait_thread.alive?
+    rescue Errno::ESRCH # rubocop:disable Lint/HandleExceptions
+    end
+  end
+
+  def setup_gpg_process(extra_args, input, callback)
+    @input = input
+    @callback = callback
+    if callback
+      @status_r, status_w = IO.pipe
+      status_w.close_on_exec = false
+      command_r, @command_w = IO.pipe
+      command_r.close_on_exec = false
+      command_w.sync = true
+      extra_args.concat(["--status-fd", status_w.to_i.to_s, "--command-fd", command_r.to_i.to_s])
+    end
+
+    @stdin, @stdout, @stderr, @wait_thread =
+      Open3.popen3(gpg_cmd, "--no-tty", "--quiet", *gpg_args, *extra_args, close_others: !callback)
+    stdout.set_encoding(Encoding::BINARY)
+
+    return unless callback
+
+    command_r.close
+    status_w.close
+  end
+
+  def runloop
+    selector = NIO::Selector.new
+
+    if input
+      @stdin_monitor = selector.register(stdin, :w)
+      @stdin_monitor.value = method(:write_stdin)
+    end
+    @stdout_monitor = selector.register(stdout, :r)
+    @stdout_monitor.value = method(:read_stdout)
+    @stderr_monitor = selector.register(stderr, :r)
+    @stderr_monitor.value = method(:read_stderr)
+    if callback
+      @status_r_monitor = selector.register(status_r, :r)
+      @status_r_monitor.value = method(:read_status_r)
+    end
+
+    loop do
+      break if selector.empty?
+
+      wait = @deadline - Time.now
+      raise TimeoutError if wait <= 0
+
+      ready = selector.select(wait)
+      next unless ready # ready is nil for timeouts
+      ready.each do |monitor|
+        monitor.value.call
+      end
+    end
+  ensure
+    # rubocop:disable Style/RescueModifier
+    stdin.close rescue nil
+    stdout.close rescue nil
+    stderr.close rescue nil
+    status_r.close rescue nil
+    command_w.close rescue nil
+    selector.close
+    # rubocop:enable Style/RescueModifier
+  end
+
+  def write_stdin
+    loop do
+      bytes_written = stdin.write_nonblock(input, exception: false)
+      break if bytes_written == :wait_writable
+
+      @input = input.byteslice(bytes_written..-1)
+
+      if input.empty? # rubocop:disable Style/Next
+        stdin_monitor.close
+        stdin.close_write
+        break
+      end
+    end
+  end
+
+  def read_stdout
+    read(stdout, stdout_buffer, stdout_monitor)
+  end
+
+  def read_stderr
+    read(stderr, stderr_buffer, stderr_monitor)
+  end
+
+  def read_status_r
+    read(status_r, status_r_buffer, status_r_monitor)
+
+    last = status_r_buffer.rindex("\n")
+    return unless last
+
+    status_r_buffer[0..last].split("\n").each do |line|
+      # See README.md for link to gpg documentation on status-fd output
+      self.class.logger.debug { "GPGMeh: gpg status-fd output=#{line.inspect}" }
+
+      if /NEED_PASSPHRASE (?<sub_key_id>\S+) (?<key_id>\S+)/ =~ line
+        self.class.logger.debug do
+          "GPGMeh: NEED_PASSPHRASE sub_key_id=#{sub_key_id.inspect} key_id=#{key_id.inspect}"
+        end
+        passphrase = callback.call(sub_key_id[-8..-1])
+        raise NoPassphraseError, "secret keyring passphrase required from callback" unless passphrase
+        command_w.puts(passphrase)
+      elsif /NEED_PASSPHRASE_SYM/.match?(line)
+        self.class.logger.debug("GPGMeh: NEED_PASSPHRASE_SYM")
+        passphrase = callback.call(:symmetric)
+        raise NoPassphraseError, "symmetric passphrase required from callback" unless passphrase
+        command_w.puts(passphrase)
+      end
+    end
+    @status_r_buffer = status_r_buffer[(last + 1)..-1]
+  end
+
+  def read(io, buffer, monitor)
+    loop do
+      output_chunk = io.read_nonblock(8192, exception: false)
+      # output_chunk == nil means readable EOF
+      return if output_chunk == :wait_readable
+
+      if output_chunk.nil?
+        monitor.close
+        io.close
+        return
+      end
+
+      buffer << output_chunk
+    end
+  end
+
+  # These methods are "public", but since `new` is private, they should be inaccessible
+  public
+
+  # @private
+  def encrypt(plaintext, recipients, sign:, passphrase_callback:)
+    extra_args = %w[--encrypt] + recipients.flat_map { |recipient| ["--recipient", recipient] }
+    extra_args << "--sign" if sign
+    start(extra_args, plaintext, passphrase_callback)
+  end
+
+  # @private
+  def decrypt(encrypted_blob, passphrase_callback)
+    start(["--decrypt"], encrypted_blob, passphrase_callback)
+  end
+
+  # @private
+  def encrypt_symmetric(plaintext, sign:, passphrase_callback:)
+    extra_args = ["--symmetric"]
+    extra_args << "--sign" if sign
+
+    start(extra_args, plaintext, passphrase_callback)
+  end
+
+  # @private
+  def public_keys
+    Key.parse(start(%w[--with-colons --list-public-keys]))
+  end
+
+  # @private
+  def secret_keys
+    Key.parse(start(%w[--with-colons --list-secret-keys]))
+  end
+
+  # @private
+  def version
+    start(%w[--version])
+  end
+end

metadata

@@ -0,0 +1,87 @@
+--- !ruby/object:Gem::Specification
+name: gpgmeh
+version: !ruby/object:Gem::Version
+  version: 0.1.5
+platform: ruby
+authors:
+- Andrew Lazarus
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2017-11-21 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.3'
+- !ruby/object:Gem::Dependency
+  name: nio4r
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2'
+description: 
+email:
+- lazarus@squareup.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".rubocop.yml"
+- ".travis.yml"
+- BUG-BOUNTY.md
+- CHANGELOG.md
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- gpgmeh.gemspec
+- lib/gpgmeh.rb
+- lib/gpgmeh/key.rb
+- lib/gpgmeh/version.rb
+homepage: https://github.com/square/gpgmeh
+licenses: []
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.13
+signing_key: 
+specification_version: 4
+summary: GPG Made Even (Happier|Hipper|Harder?)
+test_files: []