use gpg module instead of pyme module for PGP encryption

Author: cmeerw

.travis.yml

@@ -17,7 +17,7 @@ addons:
     packages:
       # Required to build/install the xapian-binding
       - libxapian-dev
-      # Required to install pyme
+      # Required to install gpg
       - libgpgme11-dev
       - swig
 
@@ -37,8 +37,8 @@ before_install:
   - cd $TRAVIS_BUILD_DIR
 
 install:
-  - pip install psycopg2 pytz whoosh
-  - if [[ $TRAVIS_PYTHON_VERSION == "2."* ]]; then pip install MySQL-python pyme; fi
+  - pip install gpg psycopg2 pytz whoosh
+  - if [[ $TRAVIS_PYTHON_VERSION == "2."* ]]; then pip install MySQL-python; fi
   - pip install pytest-cov codecov
 
 before_script:

CHANGES.txt

@@ -20,6 +20,8 @@ Features:
   2.7.8+), to improve performance over bundled pure Python
   version. Note that acceleration via m2crypto is no longer supported
   (Christof Meerwald)
+- issue2550989: PGP encryption is now done using the gpg module
+  instead of pyme. (Christof Meerwald)
 
 Fixed:
 

doc/customizing.txt

@@ -415,7 +415,7 @@ Section **pgp**
  OpenPGP mail processing options
 
  enable -- ``no``
-  Enable PGP processing. Requires pyme.
+  Enable PGP processing. Requires gpg.
 
  roles -- default *blank*
   If specified, a comma-separated list of roles to perform PGP

doc/installation.txt

@@ -101,8 +101,8 @@ pyopenssl
   proxy through a server with SSL support (e.g. apache) then this is
   unnecessary.
 
-pyme
-  If pyme_ is installed you can configure the mail gateway to perform
+gpg
+  If gpg_ is installed you can configure the mail gateway to perform
   verification or decryption of incoming OpenPGP MIME messages. When
   configured, you can require email to be cryptographically signed
   before roundup will allow it to make modifications to issues.
@@ -121,7 +121,7 @@ Windows Service
 .. _pytz: https://pypi.org/project/pytz/
 .. _Olson tz database: https://www.iana.org/time-zones
 .. _pyopenssl: http://pyopenssl.sourceforge.net
-.. _pyme: http://pyme.sourceforge.net
+.. _gpg: https://www.gnupg.org/software/gpgme/index.html
 .. _pywin32: https://pypi.org/project/pywin32/
 .. _jinja2: http://jinja.pocoo.org/
 

roundup/anypy/email_.py

@@ -3,6 +3,11 @@
 import email
 from email import quoprimime, base64mime
 
+if str == bytes:
+    message_from_bytes = email.message_from_string
+else:
+    message_from_bytes = email.message_from_bytes
+
 ## please import this file if you are using the email module
 
 # Match encoded-word strings in the form =?charset?q?Hello_World?=

roundup/configuration.py

@@ -1051,7 +1051,7 @@ def str2value(self, value):
      ), "Roundup Mail Gateway options"),
     ("pgp", (
         (BooleanOption, "enable", "no",
-            "Enable PGP processing. Requires pyme. If you're planning\n"
+            "Enable PGP processing. Requires gpg. If you're planning\n"
             "to send encrypted PGP mail to the tracker, you should also\n"
             "enable the encrypt-option below, otherwise mail received\n"
             "encrypted might be sent unencrypted to another user."),

roundup/mailer.py

@@ -21,9 +21,9 @@
 from roundup.anypy.strings import b2s, s2b, s2u
 
 try:
-    import pyme, pyme.core
+    import gpg, gpg.core
 except ImportError:
-    pyme = None
+    gpg = None
 
 
 class MessageSendError(RuntimeError):
@@ -205,9 +205,9 @@ def bounce_message(self, bounced_message, to, error,
                 self.logger.debug("MessageSendError: %s", str(e))
                 pass
         if crypt_to:
-            plain = pyme.core.Data(message.as_string())
-            cipher = pyme.core.Data()
-            ctx = pyme.core.Context()
+            plain = gpg.core.Data(message.as_string())
+            cipher = gpg.core.Data()
+            ctx = gpg.core.Context()
             ctx.set_armor(1)
             keys = []
             adrs = []
@@ -235,7 +235,7 @@ def bounce_message(self, bounced_message, to, error,
                 part=MIMEBase('application', 'octet-stream')
                 part.set_payload(cipher.read())
                 message.attach(part)
-            except pyme.GPGMEError:
+            except gpg.GPGMEError:
                 self.logger.debug("bounce_message: Cannot encrypt to %s",
                                   str(crypto_to))
                 crypt_to = None

roundup/mailgw.py

@@ -103,7 +103,7 @@ class node. Any parts of other types are each stored in separate files
 import email.utils
 from email.generator import Generator
 
-from .anypy.email_ import decode_header
+from roundup.anypy.email_ import decode_header, message_from_bytes
 from roundup.anypy.my_input import my_input
 
 from roundup import configuration, hyperdb, date, password, exceptions
@@ -114,9 +114,9 @@ class node. Any parts of other types are each stored in separate files
 import roundup.anypy.random_ as random_
 
 try:
-    import pyme, pyme.core, pyme.constants, pyme.constants.sigsum
+    import gpg, gpg.core, gpg.constants, gpg.constants.sigsum
 except ImportError:
-    pyme = None
+    gpg = None
 
 SENDMAILDEBUG = os.environ.get('SENDMAILDEBUG', '')
 
@@ -173,18 +173,18 @@ def check_pgp_sigs(sigs, gpgctx, author, may_be_unsigned=False):
         # we really only care about the signature of the user who
         # submitted the email
         if key and (author in gpgh_key_getall(key, 'email')):
-            if sig.summary & pyme.constants.sigsum.VALID:
+            if sig.summary & gpg.constants.sigsum.VALID:
                 return True
             else:
                 # try to narrow down the actual problem to give a more useful
                 # message in our bounce
-                if sig.summary & pyme.constants.sigsum.KEY_MISSING:
+                if sig.summary & gpg.constants.sigsum.KEY_MISSING:
                     raise MailUsageError( \
                         _("Message signed with unknown key: %s") % sig.fpr)
-                elif sig.summary & pyme.constants.sigsum.KEY_EXPIRED:
+                elif sig.summary & gpg.constants.sigsum.KEY_EXPIRED:
                     raise MailUsageError( \
                         _("Message signed with an expired key: %s") % sig.fpr)
-                elif sig.summary & pyme.constants.sigsum.KEY_REVOKED:
+                elif sig.summary & gpg.constants.sigsum.KEY_REVOKED:
                     raise MailUsageError( \
                         _("Message signed with a revoked key: %s") % sig.fpr)
                 else:
@@ -415,9 +415,9 @@ def decrypt(self, author, may_be_unsigned=False):
                 hdr.get_content_type() != 'application/pgp-encrypted'):
             raise MailUsageError(_("Unknown multipart/encrypted version."))
 
-        context = pyme.core.Context()
-        ciphertext = pyme.core.Data(msg.get_payload())
-        plaintext = pyme.core.Data()
+        context = gpg.core.Context()
+        ciphertext = gpg.core.Data(msg.get_payload())
+        plaintext = gpg.core.Data()
 
         result = context.op_decrypt_verify(ciphertext, plaintext)
 
@@ -432,10 +432,10 @@ def decrypt(self, author, may_be_unsigned=False):
                        may_be_unsigned=may_be_unsigned)
 
         plaintext.seek(0, 0)
-        # pyme.core.Data implements a seek method with a different signature
+        # gpg.core.Data implements a seek method with a different signature
         # than roundup can handle. So we'll put the data in a container that
         # the Message class can work with.
-        return email.message_from_string(plaintext.read(), RoundupMessage)
+        return message_from_bytes(plaintext.read(), RoundupMessage)
 
     def verify_signature(self, author):
         """
@@ -458,10 +458,10 @@ def verify_signature(self, author):
         # canonical <CR><LF> sequence."
         # TODO: what about character set conversion?
         canonical_msg = re.sub('(?<!\r)\n', '\r\n', msg.flatten())
-        msg_data = pyme.core.Data(canonical_msg)
-        sig_data = pyme.core.Data(sig.get_payload())
+        msg_data = gpg.core.Data(canonical_msg)
+        sig_data = gpg.core.Data(sig.get_payload())
 
-        context = pyme.core.Context()
+        context = gpg.core.Context()
         context.op_verify(sig_data, msg_data, None)
 
         # check all signatures for validity
@@ -942,7 +942,7 @@ def pgp_role():
         if self.config.PGP_ENABLE:
             if pgp_role() and self.config.PGP_ENCRYPT:
                 self.crypt = True
-            assert pyme, 'pyme is not installed'
+            assert gpg, 'gpg is not installed'
             # signed/encrypted mail must come from the primary address
             author_address = self.db.user.get(self.author, 'address')
             if self.config.PGP_HOMEDIR:

roundup/roundupdb.py

@@ -42,17 +42,9 @@
 import roundup.anypy.random_ as random_
 
 try:
-    import pyme, pyme.core
-    # gpgme_check_version() must have been called once in a programm
-    # to initialise some subsystems of gpgme.
-    # See the gpgme documentation (at least from v1.1.6 to 1.3.1, e.g.
-    # http://gnupg.org/documentation/manuals/gpgme/Library-Version-Check.html)
-    # This is not done by pyme (at least v0.7.0 - 0.8.1). So we do it here.
-    # FIXME: Make sure it is done only once (the gpgme documentation does
-    # not tell if calling this several times has drawbacks).
-    pyme.core.check_version(None)
+    import gpg, gpg.core
 except ImportError:
-    pyme = None
+    gpg = None
 
 
 class Database:
@@ -374,9 +366,9 @@ def encrypt_to(self, message, sendto):
         """ Encrypt given message to sendto receivers.
             Returns a new RFC 3156 conforming message.
         """
-        plain = pyme.core.Data(message.as_string())
-        cipher = pyme.core.Data()
-        ctx = pyme.core.Context()
+        plain = gpg.core.Data(message.as_string())
+        cipher = gpg.core.Data()
+        ctx = gpg.core.Context()
         ctx.set_armor(1)
         keys = []
         for adr in sendto:

test/db_test_base.py

@@ -19,7 +19,7 @@
 import unittest, os, shutil, errno, imp, sys, time, pprint, base64, os.path
 import logging, cgi
 from . import gpgmelib
-from email.parser import FeedParser
+from email import message_from_string
 
 import pytest
 from roundup.hyperdb import String, Password, Link, Multilink, Date, \
@@ -36,6 +36,7 @@
 
 from roundup.anypy.strings import b2s, s2b, u2s
 from roundup.anypy.cmp_ import NoneAndDictComparable
+from roundup.anypy.email_ import message_from_bytes
 
 from .mocknull import MockNull
 
@@ -2632,7 +2633,7 @@ def dummy_snd(s, to, msg, res=res) :
             roundupdb._ = old_translate_
             Mailer.smtp_send = backup
 
-    @pytest.mark.skipif(gpgmelib.pyme is None, reason='Skipping PGPNosy test')
+    @pytest.mark.skipif(gpgmelib.gpg is None, reason='Skipping PGPNosy test')
     def testPGPNosyMail(self) :
         """Creates one issue with two attachments, one smaller and one larger
            than the set max_attachment_size. Recipients are one with and
@@ -2674,23 +2675,19 @@ def dummy_snd(s, to, msg, res=res) :
             self.assert_(b2s(base64.encodestring(s2b("xxx"))).rstrip() in mail_msg)
             self.assert_("File 'test2.txt' not attached" in mail_msg)
             self.assert_(b2s(base64.encodestring(s2b("yyy"))).rstrip() not in mail_msg)
-            fp = FeedParser()
             mail_msg = str(res[1]["mail_msg"])
-            fp.feed(mail_msg)
-            parts = fp.close().get_payload()
+            parts = message_from_string(mail_msg).get_payload()
             self.assertEqual(len(parts),2)
             self.assertEqual(parts[0].get_payload().strip(), 'Version: 1')
-            crypt = gpgmelib.pyme.core.Data(parts[1].get_payload())
-            plain = gpgmelib.pyme.core.Data()
-            ctx = gpgmelib.pyme.core.Context()
+            crypt = gpgmelib.gpg.core.Data(parts[1].get_payload())
+            plain = gpgmelib.gpg.core.Data()
+            ctx = gpgmelib.gpg.core.Context()
             res = ctx.op_decrypt(crypt, plain)
             self.assertEqual(res, None)
             plain.seek(0,0)
-            fp = FeedParser()
-            fp.feed(plain.read())
             self.assert_("From: admin" in mail_msg)
             self.assert_("Subject: [issue1] spam" in mail_msg)
-            mail_msg = str(fp.close())
+            mail_msg = str(message_from_bytes(plain.read()))
             self.assert_("New submission from admin" in mail_msg)
             self.assert_("one two" in mail_msg)
             self.assert_("File 'test1.txt' not attached" not in mail_msg)