5.4 KiB
PGPainless is a wrapper around Bouncycastle, which provides an easy to use, intuitive, but also powerful API for OpenPGP (RFC4880).
Its primary functionality is encrypting, signing, decrypting and verifying data, as well as generating and modifying keys.
Why should I use it?
At FlowCrypt we are using PGPainless in our Kotlin code bases on Android and on server side. The ergonomy of legacy PGP tooling on Java is not very good, and PGPainless improves it greatly. We were so happy with our initial tests and with Paul - the maintainer, that we decided to sponsor further development of this library.
-Tom @ FlowCrypt.com
There are a bunch of reasons why you should consider switching to PGPainless:
Easy to use API
One main focus of the project is ease of use. Using Bouncycastle can be a hassle, since simple tasks require a substantial amount of boilerplate code and small mistakes are easily made. PGPainless aims at providing a simple interface to get the job done quickly, while not trading away functionality or correctness.
For examples about how to use the API, see the projects readme.
Complementing Bouncycastle
PGPainless has Bouncycastle truly figured out!
If you already use BC in your code, PGPainless is a perfect complement! It allows you to remove many lines of boilerplate code and offers you the certitude of a dedicated JUnit test suite.
Furthermore PGPainless is scoring second place on the very extensive Sequoia OpenPGP Interoperability Test Suite.
We have studied BC intensively, identified its shortcomings and came up with solutions to those:
Contrary to vanilla BC and some other BC-based OpenPGP libraries, PGPainless does signature verification the right way. It not only checks for signature correctness, but goes the extra mile to also check signature validity by taking into consideration key expiration dates, revocations, signature structures, etc.
Take a look at this blog post to get an idea of how complex signature verification with OpenPGP truly is.
Android Support
PGPainless is designed to work on Android versions down to API level 10 (Gingerbread). This makes PGPainless a good choice for implementing OpenPGP encryption in your Android app.
Compatibility with certain Android APIs is ensured through Animalsniffer.
Releases
PGPainless is released on the maven central repository. Including it in your project is simple:
Maven:
<dependency>
<groupId>org.pgpainless</groupId>
<artifactId>pgpainless-core</artifactId>
<version>0.2.13</version>
</dependency>
Gradle:
repositories {
mavenCentral()
}
dependencies {
compile 'org.pgpainless:pgpainless-core:0.2.13'
}
There are snapshot releases available as well.
Command Line Interface
PGPainless provides an implementation of the Stateless OpenPGP Command Line Interface
in the pgpainless-sop
module.
This allows PGPainless to be used as a command line application for encryption/decryption and signature creation/validation.
More importantly though, this allows to plug PGPainless into the Sequoia OpenPGP Interoperability Test Suite. This extensive test suite demonstrates how closely PGPainless is following the standard, especially when it comes to signature verification.
Security Audits
In late 2021, PGPainless was subject to an extensive security audit by the the pentesting team of Cure53. The audit was generously sponsored and arranged by FlowCrypt.com!
Results of the audit are publicly available here. Wherever possible, findings of the audit have been fixed in a timely manner.
Forever Free Software
PGPainless is licensed under the Apache License 2.0 and this will never change.
Free Libre Open Source Software Rocks!
About
PGPainless was created during a Google Summer of Code project, for which an easy to use OpenPGP API for Java and Android was needed.
Originally we looked into forking bouncy-gpg, but since support for lower Android versions was a requirement, PGPainless was born as an independent project. In its early development stages the library was however influenced by bouncy-gpg written by Jens Neuhalje.
Development
PGPainless is currently developed by Paul Schaub (@vanitasvitae).
Contribute
Contributions are always welcome :) The project is developed in the following places:
Pull requests are accepted on either of them.
Bug Reports
If you encounter a bug, please make sure to check, whether the bug has already been reported either here, or here, in order to avoid duplicate bug reports.