[](https://gitlab.com/hackancuba/blake2signer/-/commits/develop)
[](https://gitlab.com/hackancuba/blake2signer/-/pipelines?page=1&scope=all&ref=develop)
[](https://blake2signer.hackan.net/en/stable/?badge=stable)
[](https://pypi.org/project/blake2signer)
[](https://pypi.org/project/blake2signer)
[](https://gitlab.com/hackancuba/blake2signer/-/blob/main/LICENSE)
[](https://twitter.com/hackancuba)
#  Blake2Signer
The goal of this project is to provide a simple and straightforward way to securely sign data using [BLAKE in keyed hashing mode](https://docs.python.org/3/library/hashlib.html#keyed-hashing), using a secret key. This can be used, in example, when you need to send some data that could be tampered by the user, like a payment authorization, or a login token. This data travels in plaintext, and can be read, but it can't be modified in any way once signed!.
## Why would I need to use it?
* To sign data that needs to be sent through an untrusted channel, like signing a cookie with user data and providing it to the user, so the user can identify themselves with the rest of the system safely.
* To save database lookups by checking signed data, like an account activation or password reset link where you can sign the user id and then verify it securely without using a database.
* To prevent data tampering, like signing some value that goes in a form hidden field such as the user type (admin or regular) so that the user can't trick the value.
* To easily express intent when signing data, like sharing a single secret key between signers to simplify app configuration and use the `personalisation` parameter to prevent signed data misuse.
In short, **never trust** user input, **always verify**. This module helps you do that.
## Why would I want to use it?
Because it is a relatively *small* (around 900 logical lines of code, core around 400), *simple* (the public API has only a couple of methods) yet very *customizable* and *fast* data signer. My idea is to keep it as uncomplicated as possible without much room to become a *footgun*. All *defaults are very correct* (secure), and everything *just works* out of the box.
There are much better packages for other or more general use cases, so if you feel this doesn't satisfy your needs, please [leave a feature request](https://gitlab.com/hackancuba/blake2signer/-/issues) or consider using [itsdangerous](https://itsdangerous.palletsprojects.com), [Django's signer](https://docs.djangoproject.com/en/dev/topics/signing), [pypaseto](https://github.com/rlittlefield/pypaseto), [pyjwt](https://github.com/jpadilla/pyjwt) or others like those.
## Goals
* Be safe and secure.
* Be simple and straightforward.
* Follow [semver](https://semver.org/).
* Be always typed.
* No dependencies (besides dev).
* 100% coverage.
### Secondary goals
* If possible, maintain current active Python versions (3.8+).
* If possible, support Python implementations other than CPython.
## Installing
This package is hosted on [PyPi](https://pypi.org/project/blake2signer) so just:
* `python3 -m pip install blake2signer`
* `poetry add blake2signer`
* `pipenv install blake2signer`
You can check the [releases' page](https://gitlab.com/hackancuba/blake2signer/-/releases) for package hashes and signatures.
Note: if you want to use BLAKE3, you need to install the [`blake3`](https://pypi.org/project/blake3/) package, until it arrives to core (which may or may not happen). Alternatively, you can install this package with extras:
* `python3 -m pip install blake2signer[blake3]`
* `poetry add blake2signer[blake3]`
* `pipenv install blake2signer[blake3]`
### Requirements
Only Python is required; this module doesn't have dependencies besides those used for development, and the optional `blake3`.
Versions currently tested (check the [pipelines](https://gitlab.com/hackancuba/blake2signer/-/pipelines)):
* CPython 3.8
* CPython 3.9
* CPython 3.10
* CPython 3.11
* CPython 3.12
* CPython 3.13-pre
* [PyPy](https://www.pypy.org) 3.8
* If you are contributing to this project under PyPy, [read the contrib notes first](CONTRIB.md#working-under-pypy).
* [PyPy](https://www.pypy.org) 3.9
* If you are contributing to this project under PyPy, [read the contrib notes first](CONTRIB.md#working-under-pypy).
* [PyPy](https://www.pypy.org) 3.10
* If you are contributing to this project under PyPy, [read the contrib notes first](CONTRIB.md#working-under-pypy).
* [Stackless](https://github.com/stackless-dev/stackless/wiki) 3.8
* If you are contributing to this project under Stackless, [read the contrib notes first](CONTRIB.md#working-under-stackless).
## Tl; Dr Example
```python
"""Tl;dr example."""
from datetime import timedelta
from blake2signer import Blake2SerializerSigner
from blake2signer import errors
secret = b'secure-secret-that-nobody-knows!'
# Some arbitrary data to sign
data = {'user_id': 1, 'is_admin': True, 'username': 'hackan'}
signer = Blake2SerializerSigner(
secret,
max_age=timedelta(days=1), # Add a timestamp to the signature
personalisation=b'the-cookie-signer',
)
# Sign and i.e. store the data in a cookie
signed = signer.dumps(data) # Compression is enabled by default
# If compressing data turns out to be detrimental then data won't be
# compressed. If you know that from beforehand and don't need compression, you
# can disable it:
# signed = signer.dumps(data, compress=False)
# Additionally, you can force compression nevertheless:
# signed = signer.dumps(data, force_compression=True)
cookie = {'data': signed}
# To verify and recover data simply use `loads`: you will either get the data or
# a `SignerError` subclass exception.
try:
unsigned = signer.loads(cookie.get('data', ''))
except errors.SignedDataError: # See more about errors in the docs
# Can't trust on given data
unsigned = {}
print(unsigned) # {'user_id': 1, 'is_admin': True, 'username': 'hackan'}
```
Find more [details](https://blake2signer.hackan.net/en/stable/details) and [examples](https://blake2signer.hackan.net/en/stable/examples) in the docs.
> Tip: all modules, classes, methods and functions are documented so don't doubt asking for `help()`.
## Signers
This module provides three signer classes:
* **Blake2SerializerSigner**: a signer class that handles data serialization, compression and encoding along with salted signing and salted timestamped signing. Its public methods are `dumps`, `loads`, `dumps_parts` and `loads_parts`, and `dump` and `load` for files.
* **Blake2Signer**: a signer class that signs plain `bytes` or `str` data. Its public methods are `sign`, `unsign`, `sign_parts` and `unsign_parts`.
* **Blake2TimestampSigner**: a signer class that timestamp signs plain `bytes` or `str` data. Its public methods are `sign`, `unsign`, `sign_parts` and `unsign_parts`.
**You should generally go for Blake2SerializerSigner**, given that it's the most versatile of the three, unless you need to deal with plain `bytes` or strings. Check [details about signers](https://blake2signer.hackan.net/en/stable/details) and [usage examples](https://blake2signer.hackan.net/en/stable/examples) to learn more.
## Documentation
Check out this [project docs online](https://blake2signer.hackan.net), or locally with `inv docs`. Alternatively, build them locally using `inv docs --build`.
## Getting help
For help, support, and discussions, come to our [Matrix room](https://matrix.to/#/#blake2signer:mozilla.org). For issues, please use the [Gitlab issue tracker](https://gitlab.com/hackancuba/blake2signer/-/issues).
## Notice
I'm not a cryptoexpert, so *this project needs a security review*. If you are one and can do it, please [contact me](https://hackan.net).
## Contributors
In alphabetical ordering, with short description about contribution:
* [Erus](https://gitlab.com/erudin): docs title logo, code review.
* [NoonSleeper](https://gitlab.com/noonsleeper): project icons.
## License
**Blake2Signer** is made by [HacKan](https://hackan.net) under MPL v2.0. You are free to use, share, modify and share modifications under the terms of that [license](LICENSE). Derived works may link back to the canonical repository: `https://gitlab.com/hackancuba/blake2signer`.
Copyright (C) 2020-2024 HacKan (https://hackan.net)
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at https://mozilla.org/MPL/2.0/.
----
[](https://creativecommons.org/licenses/by-sa/4.0/) *Blake2Signer icons* by [NoonSleeper](https://gitlab.com/noonsleeper) are licensed under a [Creative Commons Attribution-ShareAlike 4.0 International License](https://creativecommons.org/licenses/by-sa/4.0/). You are free to use, share, modify and share modifications under the terms of that [license](https://creativecommons.org/licenses/by-sa/4.0/). They were based on *Blake2Signer logo* by [HacKan](https://hackan.net) which was based on [this sword](https://thenounproject.com/term/samurai-sword/2044449/) by *Hamza Wahbi* and [this signature](https://thenounproject.com/term/sign/184638/) by *Nick Bluth*, both licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/), and inspired by [It's dangerous logo](https://itsdangerous.palletsprojects.com/en/1.1.x/_images/itsdangerous-logo.png).
Check them out in the [icons](https://gitlab.com/hackancuba/blake2signer/-/blob/develop/icons) subdir.
[](https://creativecommons.org/licenses/by-sa/4.0/) *[Blake2Signer with Logo](https://gitlab.com/hackancuba/blake2signer/-/blob/develop/docs/docs/img/title.svg)* by [Erus](https://gitlab.com/erudin) is licensed under a [Creative Commons Attribution-ShareAlike 4.0 International License](https://creativecommons.org/licenses/by-sa/4.0/). You are free to use, share, modify and share modifications under the terms of that [license](https://creativecommons.org/licenses/by-sa/4.0/). It uses OFL licensed [Bilbo font](https://fontesk.com/bilbo-font).
Raw data
{
"_id": null,
"home_page": "https://gitlab.com/hackancuba/blake2signer",
"name": "blake2signer",
"maintainer": null,
"docs_url": null,
"requires_python": "<4.0,>=3.8.1",
"maintainer_email": null,
"keywords": "blake, cryptography, crypto, signer, signature, keyed-hashing, hashing, mac, digest",
"author": "HacKan",
"author_email": "hackan@gmail.com",
"download_url": "https://files.pythonhosted.org/packages/0a/1b/246b9232ad003d219458715ff02e7c5351b546655a8831f3f59bf1874179/blake2signer-3.1.0.tar.gz",
"platform": null,
"description": "[](https://gitlab.com/hackancuba/blake2signer/-/commits/develop)\n[](https://gitlab.com/hackancuba/blake2signer/-/pipelines?page=1&scope=all&ref=develop)\n[](https://blake2signer.hackan.net/en/stable/?badge=stable)\n[](https://pypi.org/project/blake2signer)\n[](https://pypi.org/project/blake2signer)\n[](https://gitlab.com/hackancuba/blake2signer/-/blob/main/LICENSE)\n[](https://twitter.com/hackancuba)\n\n#  Blake2Signer\n\nThe goal of this project is to provide a simple and straightforward way to securely sign data using [BLAKE in keyed hashing mode](https://docs.python.org/3/library/hashlib.html#keyed-hashing), using a secret key. This can be used, in example, when you need to send some data that could be tampered by the user, like a payment authorization, or a login token. This data travels in plaintext, and can be read, but it can't be modified in any way once signed!.\n\n## Why would I need to use it?\n\n* To sign data that needs to be sent through an untrusted channel, like signing a cookie with user data and providing it to the user, so the user can identify themselves with the rest of the system safely.\n* To save database lookups by checking signed data, like an account activation or password reset link where you can sign the user id and then verify it securely without using a database.\n* To prevent data tampering, like signing some value that goes in a form hidden field such as the user type (admin or regular) so that the user can't trick the value.\n* To easily express intent when signing data, like sharing a single secret key between signers to simplify app configuration and use the `personalisation` parameter to prevent signed data misuse.\n\nIn short, **never trust** user input, **always verify**. This module helps you do that.\n\n## Why would I want to use it?\n\nBecause it is a relatively *small* (around 900 logical lines of code, core around 400), *simple* (the public API has only a couple of methods) yet very *customizable* and *fast* data signer. My idea is to keep it as uncomplicated as possible without much room to become a *footgun*. All *defaults are very correct* (secure), and everything *just works* out of the box.\n\nThere are much better packages for other or more general use cases, so if you feel this doesn't satisfy your needs, please [leave a feature request](https://gitlab.com/hackancuba/blake2signer/-/issues) or consider using [itsdangerous](https://itsdangerous.palletsprojects.com), [Django's signer](https://docs.djangoproject.com/en/dev/topics/signing), [pypaseto](https://github.com/rlittlefield/pypaseto), [pyjwt](https://github.com/jpadilla/pyjwt) or others like those.\n\n## Goals\n\n* Be safe and secure.\n* Be simple and straightforward.\n* Follow [semver](https://semver.org/).\n* Be always typed.\n* No dependencies (besides dev).\n* 100% coverage.\n\n### Secondary goals\n\n* If possible, maintain current active Python versions (3.8+).\n* If possible, support Python implementations other than CPython.\n\n## Installing\n\nThis package is hosted on [PyPi](https://pypi.org/project/blake2signer) so just:\n\n* `python3 -m pip install blake2signer`\n* `poetry add blake2signer`\n* `pipenv install blake2signer`\n\nYou can check the [releases' page](https://gitlab.com/hackancuba/blake2signer/-/releases) for package hashes and signatures.\n\nNote: if you want to use BLAKE3, you need to install the [`blake3`](https://pypi.org/project/blake3/) package, until it arrives to core (which may or may not happen). Alternatively, you can install this package with extras:\n\n* `python3 -m pip install blake2signer[blake3]`\n* `poetry add blake2signer[blake3]`\n* `pipenv install blake2signer[blake3]`\n\n### Requirements\n\nOnly Python is required; this module doesn't have dependencies besides those used for development, and the optional `blake3`.\n\nVersions currently tested (check the [pipelines](https://gitlab.com/hackancuba/blake2signer/-/pipelines)):\n\n* CPython 3.8\n* CPython 3.9\n* CPython 3.10\n* CPython 3.11\n* CPython 3.12\n* CPython 3.13-pre\n* [PyPy](https://www.pypy.org) 3.8\n * If you are contributing to this project under PyPy, [read the contrib notes first](CONTRIB.md#working-under-pypy).\n* [PyPy](https://www.pypy.org) 3.9\n * If you are contributing to this project under PyPy, [read the contrib notes first](CONTRIB.md#working-under-pypy).\n* [PyPy](https://www.pypy.org) 3.10\n * If you are contributing to this project under PyPy, [read the contrib notes first](CONTRIB.md#working-under-pypy).\n* [Stackless](https://github.com/stackless-dev/stackless/wiki) 3.8\n * If you are contributing to this project under Stackless, [read the contrib notes first](CONTRIB.md#working-under-stackless).\n\n## Tl; Dr Example\n\n```python\n\"\"\"Tl;dr example.\"\"\"\n\nfrom datetime import timedelta\n\nfrom blake2signer import Blake2SerializerSigner\nfrom blake2signer import errors\n\nsecret = b'secure-secret-that-nobody-knows!'\n# Some arbitrary data to sign\ndata = {'user_id': 1, 'is_admin': True, 'username': 'hackan'}\n\nsigner = Blake2SerializerSigner(\n secret,\n max_age=timedelta(days=1), # Add a timestamp to the signature\n personalisation=b'the-cookie-signer',\n)\n\n# Sign and i.e. store the data in a cookie\nsigned = signer.dumps(data) # Compression is enabled by default\n# If compressing data turns out to be detrimental then data won't be\n# compressed. If you know that from beforehand and don't need compression, you\n# can disable it:\n# signed = signer.dumps(data, compress=False)\n# Additionally, you can force compression nevertheless:\n# signed = signer.dumps(data, force_compression=True)\ncookie = {'data': signed}\n\n# To verify and recover data simply use `loads`: you will either get the data or\n# a `SignerError` subclass exception.\ntry:\n unsigned = signer.loads(cookie.get('data', ''))\nexcept errors.SignedDataError: # See more about errors in the docs\n # Can't trust on given data\n unsigned = {}\n\nprint(unsigned) # {'user_id': 1, 'is_admin': True, 'username': 'hackan'}\n```\n\nFind more [details](https://blake2signer.hackan.net/en/stable/details) and [examples](https://blake2signer.hackan.net/en/stable/examples) in the docs.\n\n> Tip: all modules, classes, methods and functions are documented so don't doubt asking for `help()`.\n\n## Signers\n\nThis module provides three signer classes:\n\n* **Blake2SerializerSigner**: a signer class that handles data serialization, compression and encoding along with salted signing and salted timestamped signing. Its public methods are `dumps`, `loads`, `dumps_parts` and `loads_parts`, and `dump` and `load` for files.\n* **Blake2Signer**: a signer class that signs plain `bytes` or `str` data. Its public methods are `sign`, `unsign`, `sign_parts` and `unsign_parts`.\n* **Blake2TimestampSigner**: a signer class that timestamp signs plain `bytes` or `str` data. Its public methods are `sign`, `unsign`, `sign_parts` and `unsign_parts`.\n\n**You should generally go for Blake2SerializerSigner**, given that it's the most versatile of the three, unless you need to deal with plain `bytes` or strings. Check [details about signers](https://blake2signer.hackan.net/en/stable/details) and [usage examples](https://blake2signer.hackan.net/en/stable/examples) to learn more.\n\n## Documentation\n\nCheck out this [project docs online](https://blake2signer.hackan.net), or locally with `inv docs`. Alternatively, build them locally using `inv docs --build`.\n\n## Getting help\n\nFor help, support, and discussions, come to our [Matrix room](https://matrix.to/#/#blake2signer:mozilla.org). For issues, please use the [Gitlab issue tracker](https://gitlab.com/hackancuba/blake2signer/-/issues).\n\n## Notice\n\nI'm not a cryptoexpert, so *this project needs a security review*. If you are one and can do it, please [contact me](https://hackan.net).\n\n## Contributors\n\nIn alphabetical ordering, with short description about contribution:\n\n* [Erus](https://gitlab.com/erudin): docs title logo, code review.\n* [NoonSleeper](https://gitlab.com/noonsleeper): project icons.\n\n## License\n\n**Blake2Signer** is made by [HacKan](https://hackan.net) under MPL v2.0. You are free to use, share, modify and share modifications under the terms of that [license](LICENSE). Derived works may link back to the canonical repository: `https://gitlab.com/hackancuba/blake2signer`.\n\n Copyright (C) 2020-2024 HacKan (https://hackan.net)\n This Source Code Form is subject to the terms of the Mozilla Public\n License, v. 2.0. If a copy of the MPL was not distributed with this\n file, You can obtain one at https://mozilla.org/MPL/2.0/.\n\n----\n\n[](https://creativecommons.org/licenses/by-sa/4.0/) *Blake2Signer icons* by [NoonSleeper](https://gitlab.com/noonsleeper) are licensed under a [Creative Commons Attribution-ShareAlike 4.0 International License](https://creativecommons.org/licenses/by-sa/4.0/). You are free to use, share, modify and share modifications under the terms of that [license](https://creativecommons.org/licenses/by-sa/4.0/). They were based on *Blake2Signer logo* by [HacKan](https://hackan.net) which was based on [this sword](https://thenounproject.com/term/samurai-sword/2044449/) by *Hamza Wahbi* and [this signature](https://thenounproject.com/term/sign/184638/) by *Nick Bluth*, both licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/), and inspired by [It's dangerous logo](https://itsdangerous.palletsprojects.com/en/1.1.x/_images/itsdangerous-logo.png).\n\nCheck them out in the [icons](https://gitlab.com/hackancuba/blake2signer/-/blob/develop/icons) subdir.\n\n[](https://creativecommons.org/licenses/by-sa/4.0/) *[Blake2Signer with Logo](https://gitlab.com/hackancuba/blake2signer/-/blob/develop/docs/docs/img/title.svg)* by [Erus](https://gitlab.com/erudin) is licensed under a [Creative Commons Attribution-ShareAlike 4.0 International License](https://creativecommons.org/licenses/by-sa/4.0/). You are free to use, share, modify and share modifications under the terms of that [license](https://creativecommons.org/licenses/by-sa/4.0/). It uses OFL licensed [Bilbo font](https://fontesk.com/bilbo-font).\n",
"bugtrack_url": null,
"license": "MPL-2.0",
"summary": "A library to use BLAKE in keyed hashing mode to sign and verify signed data",
"version": "3.1.0",
"project_urls": {
"Changelog": "https://blake2signer.hackan.net/en/latest/changelog",
"Documentation": "https://blake2signer.hackan.net",
"Homepage": "https://gitlab.com/hackancuba/blake2signer",
"Issues": "https://gitlab.com/hackancuba/blake2signer/-/issues",
"Repository": "https://gitlab.com/hackancuba/blake2signer"
},
"split_keywords": [
"blake",
" cryptography",
" crypto",
" signer",
" signature",
" keyed-hashing",
" hashing",
" mac",
" digest"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "bfd08e28ff64d91a02fa85cdc6cd54f094228504f9fdd2fefcd6fb0878226e79",
"md5": "6b957057aa3ccee5d08c34c0a5d199d9",
"sha256": "4897c72668bedb638944cda9323594e240284ddbdf16e27687b097b714367784"
},
"downloads": -1,
"filename": "blake2signer-3.1.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "6b957057aa3ccee5d08c34c0a5d199d9",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": "<4.0,>=3.8.1",
"size": 57498,
"upload_time": "2024-04-28T19:12:06",
"upload_time_iso_8601": "2024-04-28T19:12:06.619141Z",
"url": "https://files.pythonhosted.org/packages/bf/d0/8e28ff64d91a02fa85cdc6cd54f094228504f9fdd2fefcd6fb0878226e79/blake2signer-3.1.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "0a1b246b9232ad003d219458715ff02e7c5351b546655a8831f3f59bf1874179",
"md5": "7251a045258503b4de45ab93fcced67e",
"sha256": "d23990dbc596286f041ed6475d72007a90091e0c57370ff21950abc7b91fe2ba"
},
"downloads": -1,
"filename": "blake2signer-3.1.0.tar.gz",
"has_sig": false,
"md5_digest": "7251a045258503b4de45ab93fcced67e",
"packagetype": "sdist",
"python_version": "source",
"requires_python": "<4.0,>=3.8.1",
"size": 51941,
"upload_time": "2024-04-28T19:12:08",
"upload_time_iso_8601": "2024-04-28T19:12:08.529193Z",
"url": "https://files.pythonhosted.org/packages/0a/1b/246b9232ad003d219458715ff02e7c5351b546655a8831f3f59bf1874179/blake2signer-3.1.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-04-28 19:12:08",
"github": false,
"gitlab": true,
"bitbucket": false,
"codeberg": false,
"gitlab_user": "hackancuba",
"gitlab_project": "blake2signer",
"lcname": "blake2signer"
}
JSON