blake2signer 4.0.0

A library to use BLAKE in keyed hashing mode to sign and verify signed data

Blake2Signer

The goal of this project is to provide a simple and straightforward way to securely sign data using BLAKE in keyed hashing mode, using a secret key. This can be used, for example, when you need to send some data that could be tampered by the user, like a payment authorization, or a login token. This data goes as plaintext, and can be read, but it can't be modified in any way once signed!.

Why would I need to use it?

• To sign data that needs to be sent through an untrusted channel, like signing a cookie with user data and providing it to the user, so they can identify themselves with the rest of the system safely.
• To save database lookups by checking signed data, like an account activation, or password reset link, where you can sign the user id, and then verify it securely.
• To prevent data tampering, like signing some value that goes in a form hidden field such as the user type (admin, or unprivileged), so that the user can't modify that value.
• To easily express intent when signing data, like sharing a single secret key between signers to simplify app configuration and use the personalisation parameter to prevent signed data misuse.

In short, never trust user input, always verify it. This lib helps you do that.

Why would I want to use it?

Because it is a relatively small (around 900 logical lines of code, core around 400), simple (the public API has only a couple of methods) yet very customizable, and fast data signer. My idea is to keep it as uncomplicated as possible without room to become a footgun. All defaults are very correct (secure), and everything just works out of the box.

If you think this lib doesn't fulfill your requirements, please leave a feature request, and consider using other great libs like itsdangerous, Django's signer, pypaseto, or pyjwt.

Quickstart

This lib has been designed to be easy-to-use with many knobs to provide adaptability, but safe defaults, and limits to prevent footguns. All methods, classes and functions are properly documented in the docs, and in docstrings, so you can always use your IDE's autocompletion, and Python's help(...).

"""Quickstart example.

Run with: SECRET="some secure and random secret" python3 quickstart.py

See `blake2signer.utils.generate_secret` to generate a secure one.
"""
import os
from datetime import timedelta

from blake2signer import Blake2SerializerSigner
from blake2signer import errors

secret = os.getenv('SECRET')  # See `blake2signer.utils.generate_secret`
assert secret

# Some arbitrary data to sign
data = {
    'user_id': 1,
    'is_admin': True,
    'username': 'hackan',
}

signer = Blake2SerializerSigner(
    secret,
    max_age=timedelta(days=1),  # Set the signature expiration time
    # Use any particular string to distinctly identify this signer (not secret, hardcoded)
    personalisation=b'the-cookie-signer',
)

# Sign and i.e. store the data in a cookie
signed = signer.dumps(data)  # Compression is enabled by default

# If compressing data turns out to be detrimental, then data won't be compressed.
# If you know that from beforehand and don't need compression, you can disable it:
# signed = signer.dumps(data, compress=False)
# Additionally, you can force compression nevertheless:
# signed = signer.dumps(data, force_compression=True)

cookie = {
    'data': signed,
}

# To verify and recover data, use `loads`: you will either get the data,
# or a `SignerError` subclass exception.
try:
    unsigned = signer.loads(cookie.get('data', ''))
except errors.SignedDataError:
    # Can't trust on given data
    unsigned = {}

print(unsigned)  # {'user_id': 1, 'is_admin': True, 'username': 'hackan'}

There are plenty of examples for each of the existing features, as well as well-documented details about them, so check them out!

Despite this lib being fast, there are ways to improve its performance. Check out the respective docs to implement signers the most efficient way possible.

Goals

• Be safe and secure.
• Be easy-to-use and straightforward.
• Follow semver.
• Be always typed.
• No dependencies (besides dev).
• 100% coverage.

Secondary goals

• If possible, maintain current active Python versions (3.9+).
• If possible, support Python implementations other than CPython.

Installing

This package is hosted on PyPi:

• python3 -m pip install blake2signer
• poetry add blake2signer
• pipenv install blake2signer
• uv add blake2signer

You can check the releases' page for package hashes and signatures.

Note: if you want to use BLAKE3, you need to install the blake3 package, until it arrives to core (which may, or may not happen). Alternatively, you can install this package with extras:

• python3 -m pip install blake2signer[blake3]
• poetry add blake2signer[blake3]
• pipenv install blake2signer[blake3]
• uv add blake2signer[blake3]

Requirements

Only Python is required; this module doesn't have dependencies besides those used for development, and the optional blake3.

Versions currently tested (check the pipelines):

• CPython 3.9
• CPython 3.10
• CPython 3.11
• CPython 3.12
• CPython 3.13
• CPython 3.14-pre
• PyPy 3.9
• PyPy 3.10
• PyPy 3.11

Note: If you are contributing to this project under PyPy, read the contrib notes first.

Note: We used to verify support on Stackless, but the project has been archived, and with Python 3.8 being EOL, we dropped it.

Signers

This module provides three signer classes:

• Blake2SerializerSigner: a signer class that handles data serialization, compression and encoding along with salted signing and salted timestamped signing. Its public methods are dumps, loads, dumps_parts and loads_parts, and dump and load for files.
• Blake2Signer: a signer class that signs plain bytes or str data. Its public methods are sign, unsign, sign_parts and unsign_parts.
• Blake2TimestampSigner: a signer class that timestamp signs plain bytes or str data. Its public methods are sign, unsign, sign_parts and unsign_parts.

You should generally go for Blake2SerializerSigner, given that it's the most versatile of the three, unless you need to deal with plain bytes or strings. Check details about signers and usage examples to learn more.

Documentation

Check out this project docs online, or locally with inv docs. Alternatively, build them locally using inv docs --build.

Getting help

For help, support, and discussions, come to our Matrix room. For issues, please use the Gitlab issue tracker.

Notice

I'm not a cryptoexpert, so this project needs a security review. If you are one and can do it, please contact me.

Contributors

In alphabetical ordering, with short description about contribution:

• Erus: docs title logo, code review.
• NoonSleeper: project icons, infra.

License

Blake2Signer is made by HacKan under MPL v2.0. You are free to use, share, modify and share modifications under the terms of that license. Derived works may link back to the canonical repository: https://gitlab.com/hackancuba/blake2signer.

Copyright (C) 2020-2025 HacKan (https://hackan.net)
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at https://mozilla.org/MPL/2.0/.

---

Blake2Signer icons by Erus, originally by NoonSleeper are licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. You are free to use, share, modify and share modifications under the terms of that license. They were based on Blake2Signer logo by HacKan which was based on this sword by Hamza Wahbi and this signature by Nick Bluth, both licensed under CC BY 3.0, and inspired by It's dangerous logo.

Check them out in the icons subdir.

Blake2Signer with Logo by Erus is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. You are free to use, share, modify and share modifications under the terms of that license. It uses OFL licensed Bilbo font.