Name | wacz-signing JSON |
Version |
0.2.9
JSON |
| download |
home_page | |
Summary | A library for signing and timestamping file hashes |
upload_time | 2023-06-05 13:31:22 |
maintainer | |
docs_url | None |
author | Ben Steinberg |
requires_python | >=3.9,<4.0 |
license | GPL-3.0-or-later |
keywords |
|
VCS |
|
bugtrack_url |
|
requirements |
No requirements were recorded.
|
Travis-CI |
No Travis.
|
coveralls test coverage |
No coveralls.
|
wacz-signing
============
[![test status](https://github.com/harvard-lil/wacz-signing/actions/workflows/tests.yml/badge.svg)](https://github.com/harvard-lil/wacz-signing/actions)
This package builds on work by Ilya Kreymer and Webrecorder in
[authsign](https://github.com/webrecorder/authsign). It is intended
for use in WACZ signing (and to a lesser extent, verification), as set
forth in the Webrecorder Recommendation [WACZ Signing and
Verification](https://specs.webrecorder.net/wacz-auth/0.1.0/). It is
an attempt to reduce authsign's footprint, and decouple signing from
any specific web API, authentication, and the process of obtaining key
material. It also omits the optional cross-signing mechanism specified
in the recommendation and provided by authsign.
<a href="https://tools.perma.cc"><img src="https://github.com/harvard-lil/tools.perma.cc/blob/main/perma-tools.png?raw=1" alt="Perma Tools" width="150"></a>
Installation
------------
For regular use, start a virtual environment and install this package
and its requirements, something like this:
```
python3 -m venv env
. env/bin/activate
pip install wacz-signing
```
Use
---
The simplest way to use this system is to provide the environment
variables `DOMAIN` and `CERTNAME`, possibly in a `.env` file; the
package will then use the key material in
`/etc/letsencrypt/live/<CERTNAME>/`. (The provision of `DOMAIN` is to
accommodate the possibility that the domain name we care about is not
the one that was originally used to create the cert.) Then, you can
```
>>> from wacz_signing import signer
>>> from datetime import datetime
>>> result = signer.sign('hello world!', datetime.utcnow())
>>> signer.verify(result)
{'observer': ['mkcert'], 'software': 'wacz-signing 0.2.6', 'timestamp': '2022-10-05T20:40:58Z'}
```
or
```
>>> signer.verify_wacz('test_files/valid_signed_example_1.wacz')
{'observer': ['btrix-sign-test.webrecorder.net'], 'software': 'authsigner 0.3.0', 'timestamp': '2022-01-18T19:00:12Z'}
```
You can also provide cert, key, and timestamper material directly, or
in alternate files, using environment variables: you MUST provide
`DOMAIN`; you MUST provide either `CERTNAME` or one of `CERT` and
`CERTFILE`; if you have set `CERTNAME`, you MUST provide one of `KEY`
and `KEYFILE`. If you're not using Letsencrypt certs, you'll need to
set `CERT_ROOTS`. You may also configure the timestamper with `TS_CERT`
or `TS_CERTFILE` and `TS_URL` and `TS_ROOTS`. You may additionally
change the `CERT_DURATION` from its default of 7 days, and the
`STAMP_DURATION` from its default of 10 minutes.
You may want to catch `signer.SigningException` and
`signer.VerificationException`.
For local development and testing, you'll need to install
[mkcert](https://github.com/FiloSottile/mkcert). To generate certs and
set up the environment, run
```
bash ./set-up-dot-env.sh
```
Certificate management
----------------------
If you're using Letsencrypt certs, and you want them to be valid for a
short duration, say the default of seven days, you would need to force
a renewal after a week, then manually revoke the previous week's cert,
something like
```
certbot renew --force-renewal --deploy-hook /path/to/deploy-hook-script
```
(or just put the script in `/etc/letsencrypt/renewal-hooks/deploy/`
where the script runs something like
```
certbot revoke --cert-path `ls -t /etc/letsencrypt/archive/${CERTNAME}/cert*.pem | head -n 2 | tail -n 1` --reason expiration
```
(But triple-check this before attempting it in earnest; a correct
example may follow.)
Use cases
---------
This package could be used in a tiny web API, of course; see
[examples/web-api/](examples/web-api/). It could also be integrated
into a producer of WACZ files, like a future version of Perma, which
would sign archives internally; it could also be run in a lambda,
which is why it's possible to provide key material directly in
environment variables.
Raw data
{
"_id": null,
"home_page": "",
"name": "wacz-signing",
"maintainer": "",
"docs_url": null,
"requires_python": ">=3.9,<4.0",
"maintainer_email": "",
"keywords": "",
"author": "Ben Steinberg",
"author_email": "bsteinberg@law.harvard.edu",
"download_url": "https://files.pythonhosted.org/packages/74/e9/a512331838bc387a5962d7fa2cf1713d59281a5993d89212ace66504bcf8/wacz_signing-0.2.9.tar.gz",
"platform": null,
"description": "wacz-signing\n============\n\n[![test status](https://github.com/harvard-lil/wacz-signing/actions/workflows/tests.yml/badge.svg)](https://github.com/harvard-lil/wacz-signing/actions)\n\nThis package builds on work by Ilya Kreymer and Webrecorder in\n[authsign](https://github.com/webrecorder/authsign). It is intended\nfor use in WACZ signing (and to a lesser extent, verification), as set\nforth in the Webrecorder Recommendation [WACZ Signing and\nVerification](https://specs.webrecorder.net/wacz-auth/0.1.0/). It is\nan attempt to reduce authsign's footprint, and decouple signing from\nany specific web API, authentication, and the process of obtaining key\nmaterial. It also omits the optional cross-signing mechanism specified\nin the recommendation and provided by authsign.\n\n<a href=\"https://tools.perma.cc\"><img src=\"https://github.com/harvard-lil/tools.perma.cc/blob/main/perma-tools.png?raw=1\" alt=\"Perma Tools\" width=\"150\"></a>\n\nInstallation\n------------\n\nFor regular use, start a virtual environment and install this package\nand its requirements, something like this:\n\n```\npython3 -m venv env\n. env/bin/activate\npip install wacz-signing\n```\n\nUse\n---\n\nThe simplest way to use this system is to provide the environment\nvariables `DOMAIN` and `CERTNAME`, possibly in a `.env` file; the\npackage will then use the key material in\n`/etc/letsencrypt/live/<CERTNAME>/`. (The provision of `DOMAIN` is to\naccommodate the possibility that the domain name we care about is not\nthe one that was originally used to create the cert.) Then, you can\n\n```\n>>> from wacz_signing import signer\n>>> from datetime import datetime\n>>> result = signer.sign('hello world!', datetime.utcnow())\n>>> signer.verify(result)\n{'observer': ['mkcert'], 'software': 'wacz-signing 0.2.6', 'timestamp': '2022-10-05T20:40:58Z'}\n```\n\nor\n\n```\n>>> signer.verify_wacz('test_files/valid_signed_example_1.wacz')\n{'observer': ['btrix-sign-test.webrecorder.net'], 'software': 'authsigner 0.3.0', 'timestamp': '2022-01-18T19:00:12Z'}\n```\n\n\nYou can also provide cert, key, and timestamper material directly, or\nin alternate files, using environment variables: you MUST provide\n`DOMAIN`; you MUST provide either `CERTNAME` or one of `CERT` and\n`CERTFILE`; if you have set `CERTNAME`, you MUST provide one of `KEY`\nand `KEYFILE`. If you're not using Letsencrypt certs, you'll need to\nset `CERT_ROOTS`. You may also configure the timestamper with `TS_CERT`\nor `TS_CERTFILE` and `TS_URL` and `TS_ROOTS`. You may additionally\nchange the `CERT_DURATION` from its default of 7 days, and the\n`STAMP_DURATION` from its default of 10 minutes.\n\nYou may want to catch `signer.SigningException` and\n`signer.VerificationException`.\n\nFor local development and testing, you'll need to install\n[mkcert](https://github.com/FiloSottile/mkcert). To generate certs and\nset up the environment, run\n\n```\nbash ./set-up-dot-env.sh\n```\n\nCertificate management\n----------------------\n\nIf you're using Letsencrypt certs, and you want them to be valid for a\nshort duration, say the default of seven days, you would need to force\na renewal after a week, then manually revoke the previous week's cert,\nsomething like\n\n```\ncertbot renew --force-renewal --deploy-hook /path/to/deploy-hook-script\n```\n\n(or just put the script in `/etc/letsencrypt/renewal-hooks/deploy/`\n\nwhere the script runs something like\n\n```\ncertbot revoke --cert-path `ls -t /etc/letsencrypt/archive/${CERTNAME}/cert*.pem | head -n 2 | tail -n 1` --reason expiration\n```\n\n(But triple-check this before attempting it in earnest; a correct\nexample may follow.)\n\nUse cases\n---------\n\nThis package could be used in a tiny web API, of course; see\n[examples/web-api/](examples/web-api/). It could also be integrated\ninto a producer of WACZ files, like a future version of Perma, which\nwould sign archives internally; it could also be run in a lambda,\nwhich is why it's possible to provide key material directly in\nenvironment variables.\n",
"bugtrack_url": null,
"license": "GPL-3.0-or-later",
"summary": "A library for signing and timestamping file hashes",
"version": "0.2.9",
"project_urls": null,
"split_keywords": [],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "7daa885aaef67b9721516ddce44f38d75ee2b1b2e61f4e2846927aaa3bd5da23",
"md5": "2c8f4a98d0d1679298b4099cc01406cd",
"sha256": "9a5666ed5b349ce832a7819d4dee39353bb1166d2df26216ee5d62183296ed4e"
},
"downloads": -1,
"filename": "wacz_signing-0.2.9-py3-none-any.whl",
"has_sig": false,
"md5_digest": "2c8f4a98d0d1679298b4099cc01406cd",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.9,<4.0",
"size": 22750,
"upload_time": "2023-06-05T13:31:21",
"upload_time_iso_8601": "2023-06-05T13:31:21.161117Z",
"url": "https://files.pythonhosted.org/packages/7d/aa/885aaef67b9721516ddce44f38d75ee2b1b2e61f4e2846927aaa3bd5da23/wacz_signing-0.2.9-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "74e9a512331838bc387a5962d7fa2cf1713d59281a5993d89212ace66504bcf8",
"md5": "12e28d220eb284842f4bddda84cbf791",
"sha256": "b3b2cf58c88ca20ee8a40c9e4d8beca3d5b14182cafa18ffcccd014213998572"
},
"downloads": -1,
"filename": "wacz_signing-0.2.9.tar.gz",
"has_sig": false,
"md5_digest": "12e28d220eb284842f4bddda84cbf791",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.9,<4.0",
"size": 10061,
"upload_time": "2023-06-05T13:31:22",
"upload_time_iso_8601": "2023-06-05T13:31:22.415788Z",
"url": "https://files.pythonhosted.org/packages/74/e9/a512331838bc387a5962d7fa2cf1713d59281a5993d89212ace66504bcf8/wacz_signing-0.2.9.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-06-05 13:31:22",
"github": false,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"lcname": "wacz-signing"
}