[tor-commits] [bridgedb/master] Add new GnuPG options to bridgedb.conf.

isis at torproject.org isis at torproject.org
Sat Mar 21 02:03:02 UTC 2015


commit a9688d06fd6ae7ebe0c47174ef70ae0bc774c390
Author: Isis Lovecruft <isis at torproject.org>
Date:   Sun Feb 22 09:56:12 2015 +0000

    Add new GnuPG options to bridgedb.conf.
    
     * ADD new options to bridgedb.conf:
        - EMAIL_GPG_HOMEDIR
        - EMAIL_GPG_PRIMARY_KEY_FINGERPRINT
        - EMAIL_GPG_PASSPHRASE
        - EMAIL_GPG_PASSPHRASE_FILE
    
     * ADD EMAIL_GPG_HOMEDIR and EMAIL_GPG_PASSPHRASE_FILE to the options
       whose paths are expanded in ``bridgedb.configure.loadConfig()``.
---
 bridgedb.conf             |   55 ++++++++++++++++++++++++++++++++++++++++++---
 lib/bridgedb/configure.py |    3 ++-
 2 files changed, 54 insertions(+), 4 deletions(-)

diff --git a/bridgedb.conf b/bridgedb.conf
index f8b126c..e0b25f0 100644
--- a/bridgedb.conf
+++ b/bridgedb.conf
@@ -15,11 +15,19 @@
 #           for details.
 # :copyright: (c) 2007-2014 The Tor Project, Inc.
 #             (c) 2007-2014, all sentient entities within the AUTHORS file
-# :version: 0.0.13
+# :version: 0.0.14
 #===============================================================================
 #
 # CHANGELOG:
 # ~~~~~~~~~~
+# Changes in version 0.0.14 - 2015-02-22
+#   * ADD new OpenPGP-related options:
+#        - EMAIL_GPG_HOMEDIR
+#        - EMAIL_GPG_PRIMARY_KEY_FINGERPRINT
+#        - EMAIL_GPG_PASSPHRASE
+#        - EMAIL_GPG_PASSPHRASE_FILE
+#   * REMOVE old OpenPGP signing key file option, EMAIL_GPG_SIGNING_KEY.
+#
 # Changes in version 0.0.13 - 2015-02-20
 #   * ADD NO_DISTRIBUTION_COUNRIES option for refusing to distribute bridges
 #     whose primary ORAddress is geolocated to any of some certain countries.
@@ -388,9 +396,50 @@ EMAIL_N_BRIDGES_PER_ANSWER = 3
 # once we have the vidalia/tor interaction fixed for everbody.
 EMAIL_INCLUDE_FINGERPRINTS = True
 
-# Configuration options for GPG signed messages
+#
+# Configuration options for OpenPGP signing and encryption
+# ------------------------------------------------------------------------------
+
+# Should we sign all email responses to clients with the key specified by
+# EMAIL_GPG_PRIMARY_KEY_FINGERPRINT (or one of its subkeys)?
 EMAIL_GPG_SIGNING_ENABLED = True
-EMAIL_GPG_SIGNING_KEY = 'gnupghome/TESTING.subkeys.sec'
+
+# The directory, relative to BridgeDB's runtime directory, in which to store
+# OpenPGP keyrings and associated files.
+EMAIL_GPG_HOMEDIR = '.gnupg'
+
+# This should be a 40-character hexadecimal string containing the OpenPGP
+# fingerprint (without spaces) of the default primary key to use.  The key
+# should be capable of both signing and encryption, or have subkeys capable of
+# such.
+#
+# The default primary key fingerprint below is the test key contained in the
+# '.gnupg/TESTING.subkeys.sec' and '.gnupg/TESTING.pub' files:
+EMAIL_GPG_PRIMARY_KEY_FINGERPRINT = '0017098C5DF4197E3C884DCFF1B240D43F148C21'
+
+# If the key referred to by EMAIL_GPG_PRIMARY_KEY_FINGERPRINT requires a
+# passphrase for signing or encryption, then the passphrase may be given in
+# the EMAIL_GPG_PASSPHRASE option (as a string), or it may be contained within
+# the file pointed to by EMAIL_GPG_PASSPHRASE_FILE.  Currently, only one
+# passphrase is supported, so if the key specified by
+# EMAIL_GPG_PRIMARY_KEY_FINGERPRINT has multiple subkeys, those subkeys MUST
+# all have the same passphrase.
+#
+# If EMAIL_GPG_PASSPHRASE_FILE is used, and the filepath is not absolute, the
+# path is interpreted as being relative to BridgeDB's runtime directory.
+# (Note: be sure not to put any newlines after the phassphrase in the
+# EMAIL_GPG_PASSPHRASE_FILE, or else they will be interpreted as part of the
+# passphrase.)
+#
+# There are currently no safety checks on the permissions of either this
+# configuration file or the EMAIL_GPG_PASSPHRASE_FILE, so beware and use at
+# your own risk.
+#
+# If both EMAIL_GPG_PASSPHRASE and EMAIL_GPG_PASSPHRASE_FILE are ``None``,
+# then it is assumed that the key specified by
+# EMAIL_GPG_PRIMARY_KEY_FINGERPRINT does not require a passphrase.
+EMAIL_GPG_PASSPHRASE = None
+EMAIL_GPG_PASSPHRASE_FILE = None
 
 #-------------------------------
 # Hashring Allocation Options   \
diff --git a/lib/bridgedb/configure.py b/lib/bridgedb/configure.py
index 83b53d6..55fcba5 100644
--- a/lib/bridgedb/configure.py
+++ b/lib/bridgedb/configure.py
@@ -104,7 +104,8 @@ def loadConfig(configFile=None, configCls=None):
                  "ASSIGNMENTS_FILE", "HTTPS_CERT_FILE", "HTTPS_KEY_FILE",
                  "LOG_FILE", "STATUS_FILE", "COUNTRY_BLOCK_FILE",
                  "GIMP_CAPTCHA_DIR", "GIMP_CAPTCHA_HMAC_KEYFILE",
-                 "GIMP_CAPTCHA_RSA_KEYFILE"]:
+                 "GIMP_CAPTCHA_RSA_KEYFILE", "EMAIL_GPG_HOMEDIR",
+                 "EMAIL_GPG_PASSPHRASE_FILE"]:
         setting = getattr(config, attr, None)
         if setting is None:
             setattr(config, attr, setting)





More information about the tor-commits mailing list