4.8. Crypto


Converts a GPGME hash algorithm name to one conforming to RFC3156.

GPGME returns hash algorithm names such as “SHA256”, but RFC3156 says that programs need to use names such as “pgp-sha256” instead.

Parameters:hash_algo – GPGME hash_algo
Return type:str
alot.crypto.check_uid_validity(key, email)

Check that a the email belongs to the given key. Also check the trust level of this connection. Only if the trust level is high enough (>=4) the email is assumed to belong to the key.

  • key (gpgme.Key) – the GPG key to which the email should belong
  • email (str) – the email address that should belong to the key

whether the key can be assumed to belong to the given email

Return type:



Decrypts the given ciphertext string and returns both the signatures (if any) and the plaintext.

Parameters:encrypted – the mail to decrypt
Returns:a tuple (sigs, plaintext) with sigs being a list of a gpgme.Signature and plaintext is a str holding the decrypted mail
Raises:GPGProblem if the decryption fails
alot.crypto.detached_signature_for(plaintext_str, key=None)

Signs the given plaintext string and returns the detached signature.

A detached signature in GPG speak is a separate blob of data containing a signature for the specified plaintext.

  • plaintext_str – text to sign
  • key – gpgme_key_t object representing the key to use
Return type:

tuple of gpgme.NewSignature array and str

alot.crypto.encrypt(plaintext_str, keys=None)

Encrypts the given plaintext string and returns a PGP/MIME compatible string

  • plaintext_str – the mail to encrypt
  • key – gpgme_key_t object representing the key to use
Return type:

a string holding the encrypted mail

alot.crypto.get_key(keyid, validate=False, encrypt=False, sign=False, signed_only=False)

Gets a key from the keyring by filtering for the specified keyid, but only if the given keyid is specific enough (if it matches multiple keys, an exception will be thrown).

If validate is True also make sure that returned key is not invalid, revoked or expired. In addition if encrypt or sign is True also validate that key is valid for that action. For example only keys with private key can sign. If signed_only is True make sure that the user id can be trusted to belong to the key (is signed). This last check will only work if the keyid is part of the user id associated with the key, not if it is part of the key fingerprint.

  • keyid (str) – filter term for the keyring (usually a key ID)
  • validate (bool) – validate that returned keyid is valid
  • encrypt (bool) – when validating confirm that returned key can encrypt
  • sign (bool) – when validating confirm that returned key can sign
  • signed_only (bool) – only return keys whose uid is signed (trusted to belong to the key)
Return type:



Returns a hash of the given key. This is a workaround for https://bugs.launchpad.net/pygpgme/+bug/1089865 and can be removed if the missing feature is added to pygpgme.

Parameters:key (gpgme.Key) – the key we want a hash of
Returns:a hash of the key
Return type:str
alot.crypto.list_keys(hint=None, private=False)

Returns a list of all keys containing keyid.

  • keyid – The part we search for
  • private – Whether secret keys are listed
Return type:


alot.crypto.validate_key(key, sign=False, encrypt=False)

Assert that a key is valide and optionally that it can be used for signing or encrypting. Raise GPGProblem otherwise.

  • key (gpgme.Key) – the GPG key to check
  • sign (bool) – whether the key should be able to sign
  • encrypt (bool) – whether the key should be able to encrypt
alot.crypto.verify_detached(message, signature)

Verifies whether the message is authentic by checking the signature.

  • message – the message as str
  • signature – a str containing an OpenPGP signature

a list of gpgme.Signature


GPGProblem if the verification fails