GopenPGP
GopenPGP is a high-level OpenPGP library built on top of a fork of the golang crypto library.
Table of Contents
Download/Install
This package uses Go Modules, and thus requires Go 1.11+. If you're also using Go Modules, simply import it and start using it (see Set up). If not, run:
go get github.com/ProtonMail/gopenpgp # or git clone this repository into the following path
cd $GOPATH/src/github.com/ProtonMail/gopenpgp
GO111MODULE=on go mod vendor
(After that, the code will also work in Go 1.10, but you need Go 1.11 for the go mod
command.)
Documentation
https://godoc.org/github.com/ProtonMail/gopenpgp/crypto
Using with Go Mobile
Setup Go Mobile and build/bind the source code:
Go Mobile repo: https://github.com/golang/mobile Go Mobile wiki: https://github.com/golang/go/wiki/Mobile
-
Install Go:
brew install go
-
Install Gomobile:
go get -u golang.org/x/mobile/cmd/gomobile
-
Install Gobind:
go install golang.org/x/mobile/cmd/gobind
-
Install Android SDK and NDK using Android Studio
-
Set env:
export ANDROID_HOME="/AndroidSDK"
(path to your SDK) -
Init gomobile:
gomobile init -ndk /AndroidSDK/ndk-bundle/
(path to your NDK) -
Copy Go module dependencies to the vendor directory:
go mod vendor
-
Build examples:
gomobile build -target=android #or ios
Bind examples:
gomobile bind -target ios -o frameworks/name.framework
gomobile bind -target android
The bind will create framework for iOS and jar&aar files for Android (x86_64 and ARM).
Other notes
If you wish to use build.sh, you may need to modify the paths in it.
Interfacing between Go and Swift: https://medium.com/@matryer/tutorial-calling-go-code-from-swift-on-ios-and-vice-versa-with-gomobile-7925620c17a4.
Examples
Set up
import "github.com/ProtonMail/gopenpgp/crypto"
Encrypt and decrypt
Encryption and decryption will use the AES256 algorithm by default.
Encrypt / Decrypt with password
var pgp = crypto.GopenPGP{}
const password = "my secret password"
// Encrypt data with password
armor, err := pgp.EncryptMessageWithPassword("my message", password)
// Decrypt data with password
message, err := pgp.DecryptMessageWithPassword(armor, password)
Encrypt / Decrypt with PGP keys
// put keys in backtick (``) to avoid errors caused by spaces or tabs
const pubkey = `-----BEGIN PGP PUBLIC KEY BLOCK-----
...
-----END PGP PUBLIC KEY BLOCK-----`
const privkey = `-----BEGIN PGP PRIVATE KEY BLOCK-----
...
-----END PGP PRIVATE KEY BLOCK-----` // encrypted private key
const passphrase = `the passphrase of the private key` // what the privKey is encrypted with
publicKeyRing, err := crypto.ReadArmoredKeyRing(strings.NewReader(pubkey))
privateKeyRing, err := crypto.ReadArmoredKeyRing(strings.NewReader(privkey))
privateKeyRing.Unlock([]byte(passphrase)) // if private key is locked with passphrase
// encrypt message using public key, can be optionally signed using private key
armor, err := publicKeyRing.EncryptMessage("plain text", privateKeyRing)
// decrypt armored encrypted message using the private key
signedText, err := privateKeyRing.DecryptMessage(armor)
plainText = signedText.String
// verify signature (optional)
signed = signedText.Signed.IsBy(publicKeyRing)
Generate key
Keys are generated with the GenerateKey
function, that returns the armored key as a string and a potential error.
The library supports RSA with different key lengths or Curve25519 keys.
var pgp = crypto.GopenPGP{}
const (
localPart = "name.surname"
domain = "example.com"
passphrase = "LongSecret"
rsaBits = 2048
ecBits = 256
)
// RSA
rsaKey, err := pgp.GenerateKey(localPart, domain, passphrase, "rsa", rsaBits)
// Curve25519
ecKey, err := pgp.GenerateKey(localPart, domain, passphrase, "x25519", ecBits)
Sign plain text messages
To sign plain text data either an unlocked private keyring or a passphrase must be provided. The output is an armored signature.
const privkey = `-----BEGIN PGP PRIVATE KEY BLOCK-----
...
-----END PGP PRIVATE KEY BLOCK-----` // encrypted private key
passphrase = "LongSecret"
const trimNewlines = false
signingKeyRing, err := crypto.ReadArmoredKeyRing(strings.NewReader(privkey))
signature, err := signingKeyRing.SignTextDetached(plaintext, passphrase, trimNewlines)
// passphrase is optional if the key is already unlocked
To verify a signature either private or public keyring can be provided.
The newlines in the text are never trimmed in the verification process.
The function outputs a bool, if the verification fails verified
will be false, and the error will be not nil
.
const pubkey = `-----BEGIN PGP PUBLIC KEY BLOCK-----
...
-----END PGP PUBLIC KEY BLOCK-----`
const signature = `-----BEGIN PGP SIGNATURE-----
...
-----END PGP SIGNATURE-----`
const verifyTime = 0
const trimNewlines = false
signingKeyRing, err := crypto.ReadArmoredKeyRing(strings.NewReader(pubkey))
verified, err := signingKeyRing.VerifyTextDetachedSig(signature, signedPlainText, verifyTime, trimNewlines)
Detached signatures for binary data
To sign binary data either an unlocked private keyring or a passphrase must be provided. The output is an armored signature.
const privkey = `-----BEGIN PGP PRIVATE KEY BLOCK-----
...
-----END PGP PRIVATE KEY BLOCK-----` // encrypted private key
passphrase = "LongSecret"
signingKeyRing, err := crypto.ReadArmoredKeyRing(strings.NewReader(privkey))
signature, err := signingKeyRing.SignBinDetached(data, passphrase)
// passphrase is optional if the key is already unlocked
To verify a signature either private or public keyring can be provided.
The newlines in the text are never trimmed in the verification process.
The function outputs a bool, if the verification fails verified
will be false, and the error will be not nil
.
const pubkey = `-----BEGIN PGP PUBLIC KEY BLOCK-----
...
-----END PGP PUBLIC KEY BLOCK-----`
const signature = `-----BEGIN PGP SIGNATURE-----
...
-----END PGP SIGNATURE-----`
const verifyTime = 0
signingKeyRing, err := crypto.ReadArmoredKeyRing(strings.NewReader(pubkey))
verified, err := signingKeyRing.VerifyBinDetachedSig(signature, data, verifyTime)