swarmauri_signing_pgp 0.3.0.dev31

OpenPGP envelope signer for Swarmauri

---

Swarmauri Signing PGP

The swarmauri_signing_pgp package provides an OpenPGP signer for the Swarmauri SDK. It creates and verifies detached signatures over raw byte payloads or structured envelopes that are canonicalized to JSON or, optionally, CBOR.

Features

• Detached OpenPGP signatures for bytes and envelopes
• JSON canonicalization with optional CBOR support via cbor2
• Multi-signer verification with configurable minimum signer requirements
• Private key loading from in-memory pgpy objects or ASCII-armored blobs
• Passphrase handling for locked private keys

Installation

Install the package with your preferred Python packaging tool:

pip install swarmauri_signing_pgp

poetry add swarmauri_signing_pgp

uv pip install swarmauri_signing_pgp

Optional CBOR support

Enable canonicalization to CBOR by installing the optional dependency group:

pip install "swarmauri_signing_pgp[cbor]"

poetry add swarmauri_signing_pgp -E cbor

uv pip install "swarmauri_signing_pgp[cbor]"

Usage

The signer exposes asynchronous methods from the Swarmauri signing base class. Key references are dictionaries describing how to load private keys. For pgpy objects, the signer expects a mapping such as {"kind": "pgpy_key", "priv": pgpy_key}. Verification requires the corresponding public keys supplied in the opts={"pubkeys": [...]} argument.

Sign and verify raw bytes

import asyncio

from pgpy import PGPKey, PGPUID
from pgpy.constants import (
    CompressionAlgorithm,
    HashAlgorithm,
    KeyFlags,
    PubKeyAlgorithm,
    SymmetricKeyAlgorithm,
)

from swarmauri_signing_pgp import PgpEnvelopeSigner


def make_demo_key() -> PGPKey:
    key = PGPKey.new(PubKeyAlgorithm.RSAEncryptOrSign, 2048)
    uid = PGPUID.new("Example User", email="user@example.com")
    key.add_uid(
        uid,
        usage={KeyFlags.Sign},
        hashes=[HashAlgorithm.SHA256],
        ciphers=[SymmetricKeyAlgorithm.AES256],
        compression=[CompressionAlgorithm.ZLIB],
    )
    return key


async def main() -> None:
    signer = PgpEnvelopeSigner()
    key = make_demo_key()
    key_ref = {"kind": "pgpy_key", "priv": key}
    payload = b"openpgp demo"

    signatures = await signer.sign_bytes(key_ref, payload)
    verified = await signer.verify_bytes(
        payload,
        signatures,
        opts={"pubkeys": [key.pubkey]},
    )
    print("Verified:", verified)


asyncio.run(main())

The signer returns detached signatures that include both binary and ASCII-armored representations. Passphrases for locked private keys can be supplied through opts={"passphrase": "secret"}.

Sign envelopes

Envelopes are canonicalized before signing. JSON canonicalization is always available and CBOR becomes available when the optional dependency group is installed:

envelope = {"subject": "demo", "body": "hello"}
signatures = await signer.sign_envelope(key_ref, envelope, canon="json")
await signer.verify_envelope(
    envelope,
    signatures,
    canon="json",
    opts={"pubkeys": [key.pubkey]},
)

Use canon="cbor" to opt into CBOR canonicalization. The supports() helper exposes the available algorithms, canonicalization formats, and feature flags at runtime.