python3 gpg module should offer an "encrypt" function that takes an email.message.EmailMessage and returns a new one
Open, NormalPublic

Description

the gpg python module should make it really easy for a python user who has an email.message.EmailMessage to produce an encrypted+signed version of the same message.

i'm thinking of a function like:

gpg.Context.encrypt_email(msg: email.message.EmailMessage) → email.message.EmailMessage

(though obviously there might be some more parameters that a sophisticated user might want to set.)

The idea is that the gpg module would extract the necessary recipient and sender information from the headers already there, and produce the best valid PGP/MIME encrypted+signed message it knows how to do.

This would be useful for projects like alot if we want them to use GnuPG.

dkg created this task.Wed, Jun 19, 6:59 PM
dkg added a comment.Wed, Jun 19, 7:19 PM

The function would do something like:

  • from msg, extract all e-mail addresses from to, cc, bcc fields
  • find "the best" keys that match these addresses, storing them in keylist
  • copy msg to tmp, remove bcc header from tmp
  • wrap armored output of gpg.Context.encrypt(bytes(tmp), recipients=keylist) in the necessary RFC 3156 cladding, copying most headers from msg (maybe stubbing out the subject), producing an email.message.EmailMessage object.

it might need to raise errors:

  • if no suitable encryption-capable public key can be found for any recipient
  • if no signing-capable secret key is available for the author.
dkg added a comment.Wed, Jun 19, 7:22 PM

I note that "the best" seems like it might be a pretty subjective thing. The standard GnuPG framing asks about the validity of keys for the User ID in question. Perhaps the caller could indicate whether they want to require full validity for each key to make this key selection more strict.

werner triaged this task as Normal priority.Fri, Jun 21, 10:04 AM