Name | wacz_signing JSON |
Version |
0.3.8
JSON |
| download |
home_page | None |
Summary | A library for signing and timestamping file hashes |
upload_time | 2024-04-19 13:28:43 |
maintainer | None |
docs_url | None |
author | Ben Steinberg |
requires_python | <4.0,>=3.9 |
license | GPL-3.0-or-later |
keywords |
|
VCS |
|
bugtrack_url |
|
requirements |
No requirements were recorded.
|
Travis-CI |
No Travis.
|
coveralls test coverage |
No coveralls.
|
wacz-signing
============
[![test status](https://github.com/harvard-lil/wacz-signing/actions/workflows/tests.yml/badge.svg)](https://github.com/harvard-lil/wacz-signing/actions)
This package builds on work by Ilya Kreymer and Webrecorder in
[authsign](https://github.com/webrecorder/authsign). It is intended
for use in WACZ signing (and to a lesser extent, verification), as set
forth in the Webrecorder Recommendation [WACZ Signing and
Verification](https://specs.webrecorder.net/wacz-auth/0.1.0/). It is
an attempt to reduce authsign's footprint, and decouple signing from
any specific web API, authentication, and the process of obtaining key
material. It also omits the optional cross-signing mechanism specified
in the recommendation and provided by authsign.
<a href="https://tools.perma.cc"><img src="https://github.com/harvard-lil/tools.perma.cc/blob/main/perma-tools.png?raw=1" alt="Perma Tools" width="150"></a>
Installation
------------
For regular use, start a virtual environment and install this package
and its requirements, something like this:
```
python3 -m venv env
. env/bin/activate
pip install wacz-signing
```
Use
---
The simplest way to use this system is to provide the environment
variables `DOMAIN` and `CERTNAME`, possibly in a `.env` file; the
package will then use the key material in
`/etc/letsencrypt/live/<CERTNAME>/`. (The provision of `DOMAIN` is to
accommodate the possibility that the domain name we care about is not
the one that was originally used to create the cert.) Then, you can
```
>>> from wacz_signing import signer
>>> from datetime import datetime
>>> result = signer.sign('hello world!', datetime.utcnow())
>>> signer.verify(result)
{'observer': ['mkcert'], 'software': 'wacz-signing 0.2.6', 'timestamp': '2022-10-05T20:40:58Z'}
```
or
```
>>> signer.verify_wacz('test_files/valid_signed_example_1.wacz')
{'observer': ['btrix-sign-test.webrecorder.net'], 'software': 'authsigner 0.3.0', 'timestamp': '2022-01-18T19:00:12Z'}
```
You can also provide cert, key, and timestamper material directly, or
in alternate files, using environment variables: you MUST provide
`DOMAIN`; you MUST provide either `CERTNAME` or one of `CERT` and
`CERTFILE`; if you have set `CERTNAME`, you MUST provide one of `KEY`
and `KEYFILE`. If you're not using Letsencrypt certs, you'll need to
set `CERT_ROOTS`. You may also configure the timestamper with `TS_CERT`
or `TS_CERTFILE` and `TS_URL` and `TS_ROOTS`. You may additionally
change the `CERT_DURATION` from its default of 7 days, and the
`STAMP_DURATION` from its default of 10 minutes.
You may want to catch `signer.SigningException` and
`signer.VerificationException`.
For local development and testing, you'll need to install
[mkcert](https://github.com/FiloSottile/mkcert). To generate certs and
set up the environment, run
```
bash ./set-up-dot-env.sh
```
Certificate management
----------------------
If you're using Letsencrypt certs, and you want them to be valid for a
short duration, say the default of seven days, you would need to force
a renewal after a week, then manually revoke the previous week's cert,
something like
```
certbot renew --force-renewal --deploy-hook /path/to/deploy-hook-script
```
(or just put the script in `/etc/letsencrypt/renewal-hooks/deploy/`
where the script runs something like
```
certbot revoke --cert-path `ls -t /etc/letsencrypt/archive/${CERTNAME}/cert*.pem | head -n 2 | tail -n 1` --reason expiration
```
(But triple-check this before attempting it in earnest; a correct
example may follow.)
Use cases
---------
This package could be used in a tiny web API, of course; see
[examples/web-api/](examples/web-api/). It could also be integrated
into a producer of WACZ files, like a future version of Perma, which
would sign archives internally; it could also be run in a lambda,
which is why it's possible to provide key material directly in
environment variables.
Raw data
{
"_id": null,
"home_page": null,
"name": "wacz_signing",
"maintainer": null,
"docs_url": null,
"requires_python": "<4.0,>=3.9",
"maintainer_email": null,
"keywords": null,
"author": "Ben Steinberg",
"author_email": "bsteinberg@law.harvard.edu",
"download_url": "https://files.pythonhosted.org/packages/de/d6/27950cf33599a86fd5db3bbc7c17dfc2da91c9ca75cede089dcecc2b9b23/wacz_signing-0.3.8.tar.gz",
"platform": null,
"description": "wacz-signing\n============\n\n[![test status](https://github.com/harvard-lil/wacz-signing/actions/workflows/tests.yml/badge.svg)](https://github.com/harvard-lil/wacz-signing/actions)\n\nThis package builds on work by Ilya Kreymer and Webrecorder in\n[authsign](https://github.com/webrecorder/authsign). It is intended\nfor use in WACZ signing (and to a lesser extent, verification), as set\nforth in the Webrecorder Recommendation [WACZ Signing and\nVerification](https://specs.webrecorder.net/wacz-auth/0.1.0/). It is\nan attempt to reduce authsign's footprint, and decouple signing from\nany specific web API, authentication, and the process of obtaining key\nmaterial. It also omits the optional cross-signing mechanism specified\nin the recommendation and provided by authsign.\n\n<a href=\"https://tools.perma.cc\"><img src=\"https://github.com/harvard-lil/tools.perma.cc/blob/main/perma-tools.png?raw=1\" alt=\"Perma Tools\" width=\"150\"></a>\n\nInstallation\n------------\n\nFor regular use, start a virtual environment and install this package\nand its requirements, something like this:\n\n```\npython3 -m venv env\n. env/bin/activate\npip install wacz-signing\n```\n\nUse\n---\n\nThe simplest way to use this system is to provide the environment\nvariables `DOMAIN` and `CERTNAME`, possibly in a `.env` file; the\npackage will then use the key material in\n`/etc/letsencrypt/live/<CERTNAME>/`. (The provision of `DOMAIN` is to\naccommodate the possibility that the domain name we care about is not\nthe one that was originally used to create the cert.) Then, you can\n\n```\n>>> from wacz_signing import signer\n>>> from datetime import datetime\n>>> result = signer.sign('hello world!', datetime.utcnow())\n>>> signer.verify(result)\n{'observer': ['mkcert'], 'software': 'wacz-signing 0.2.6', 'timestamp': '2022-10-05T20:40:58Z'}\n```\n\nor\n\n```\n>>> signer.verify_wacz('test_files/valid_signed_example_1.wacz')\n{'observer': ['btrix-sign-test.webrecorder.net'], 'software': 'authsigner 0.3.0', 'timestamp': '2022-01-18T19:00:12Z'}\n```\n\n\nYou can also provide cert, key, and timestamper material directly, or\nin alternate files, using environment variables: you MUST provide\n`DOMAIN`; you MUST provide either `CERTNAME` or one of `CERT` and\n`CERTFILE`; if you have set `CERTNAME`, you MUST provide one of `KEY`\nand `KEYFILE`. If you're not using Letsencrypt certs, you'll need to\nset `CERT_ROOTS`. You may also configure the timestamper with `TS_CERT`\nor `TS_CERTFILE` and `TS_URL` and `TS_ROOTS`. You may additionally\nchange the `CERT_DURATION` from its default of 7 days, and the\n`STAMP_DURATION` from its default of 10 minutes.\n\nYou may want to catch `signer.SigningException` and\n`signer.VerificationException`.\n\nFor local development and testing, you'll need to install\n[mkcert](https://github.com/FiloSottile/mkcert). To generate certs and\nset up the environment, run\n\n```\nbash ./set-up-dot-env.sh\n```\n\nCertificate management\n----------------------\n\nIf you're using Letsencrypt certs, and you want them to be valid for a\nshort duration, say the default of seven days, you would need to force\na renewal after a week, then manually revoke the previous week's cert,\nsomething like\n\n```\ncertbot renew --force-renewal --deploy-hook /path/to/deploy-hook-script\n```\n\n(or just put the script in `/etc/letsencrypt/renewal-hooks/deploy/`\n\nwhere the script runs something like\n\n```\ncertbot revoke --cert-path `ls -t /etc/letsencrypt/archive/${CERTNAME}/cert*.pem | head -n 2 | tail -n 1` --reason expiration\n```\n\n(But triple-check this before attempting it in earnest; a correct\nexample may follow.)\n\nUse cases\n---------\n\nThis package could be used in a tiny web API, of course; see\n[examples/web-api/](examples/web-api/). It could also be integrated\ninto a producer of WACZ files, like a future version of Perma, which\nwould sign archives internally; it could also be run in a lambda,\nwhich is why it's possible to provide key material directly in\nenvironment variables.\n",
"bugtrack_url": null,
"license": "GPL-3.0-or-later",
"summary": "A library for signing and timestamping file hashes",
"version": "0.3.8",
"project_urls": null,
"split_keywords": [],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "1a10cd1fa5d582b12ab5239950a8676a9bfa336a78daed029297c087320a9359",
"md5": "dfea0e35d492d95015cb97583c645225",
"sha256": "6d3fcd96b734fc38fde8044f57c3bc1c0f04b9a1906c8c777fe409b97b1ea5c0"
},
"downloads": -1,
"filename": "wacz_signing-0.3.8-py3-none-any.whl",
"has_sig": false,
"md5_digest": "dfea0e35d492d95015cb97583c645225",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": "<4.0,>=3.9",
"size": 22903,
"upload_time": "2024-04-19T13:28:41",
"upload_time_iso_8601": "2024-04-19T13:28:41.791457Z",
"url": "https://files.pythonhosted.org/packages/1a/10/cd1fa5d582b12ab5239950a8676a9bfa336a78daed029297c087320a9359/wacz_signing-0.3.8-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "ded627950cf33599a86fd5db3bbc7c17dfc2da91c9ca75cede089dcecc2b9b23",
"md5": "d1d5a9bc3f0ef1f3d72116b25dc5beb1",
"sha256": "03a600dcf075899120bfc535acf266a278c34f68ce93a4d1be892ec3952ea9fe"
},
"downloads": -1,
"filename": "wacz_signing-0.3.8.tar.gz",
"has_sig": false,
"md5_digest": "d1d5a9bc3f0ef1f3d72116b25dc5beb1",
"packagetype": "sdist",
"python_version": "source",
"requires_python": "<4.0,>=3.9",
"size": 22655,
"upload_time": "2024-04-19T13:28:43",
"upload_time_iso_8601": "2024-04-19T13:28:43.611486Z",
"url": "https://files.pythonhosted.org/packages/de/d6/27950cf33599a86fd5db3bbc7c17dfc2da91c9ca75cede089dcecc2b9b23/wacz_signing-0.3.8.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-04-19 13:28:43",
"github": false,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"lcname": "wacz_signing"
}