| Project | Python | SourceForge |
| Introduction |
| Legal Notes |
| Suitability |
| Setup |
| Download |
| Installation |
| How to |
| Key Generation |
| Signing a Document |
| Testing a Document |
| Trust Relationships |
| Documentation |
| TrustedPickle |
| ModuleObject |
| PrivateKey |
| PublicKey |
| PublicKeyFile |
| Signature |
| TPickle |
| TrustRelationship |
Signing a Document
Before you sign a document, you need something to sign. Almost any data object may be pickled. See the pickle manual page for details of what can and can not be saved in a pickle.
For the following examples, we'll use a datetime object.
| >>> import datetime >>> Now = datetime.datetime.now() >>> Doc = TrustedPickle.TPickle("datetime.tpk") >>> Doc.Pickle(Now) >>> Doc.Write() >>> glob.glob("datetime.tpk") ['datetime.tpk'] |
As you can see above, TrustedPickles can be saved before they are signed. TrustedPickles may have zero or more signatures. Each signature is that programmer's vouchure that the data is valid and safe. This flexibility gives you a convenient way to develop program add-ons:
A programmer develops an add-in module for an existing application. While in alpha testing, s/he leaves the TrustedPickle document unsigned for expediency. The application will warn about the dangers of using an unsigned document throughout the alpha-testing process.
When the module is ready for beta testing, the programmer signs the document with his/er own private key. Assuming the programmer does not yet have a trust relationship with the application's developer, the extension's beta testers are warned about the potential dangers of using the document.
We can assume these testers know the programmer, so they will okay the document's use and choose to ignore further warnings about documents signed by this particular programmer (i.e. the application will add the programmer's public key to their list of trusted programmers).
When the document has passed beta testing, it can then be handed off to another programmer, higher up the application's food chain. That programmer can then try out the code and sign it with their private key to show that they have confidence in the module's coding.
If this programmer is the application's coder (or is on the application's trusted list) then any user can use the newly-signed file without receiving a warning.
For projects with many developers, the document may need to be tested by other programmers, still higher up the food chain. These programmers can test the signatures of other programmers lower on the food chain before signing the document themselves. That way they can feel confident that the document has been tested by others as well.
Now let's sign this simple datetime object with our previously generated private key.
| >>> Doc.Sign(PubKeyFile, PrivKey) >>> Doc.Write() |
Pickling a Module
In addition to pickling data objects, TrustedPickle may also pickle most modules. However, it is important to note that when TrustedPickle pickles a module, it captures the disk image, not the memory image. In other words, when you unpickle the module, it will be as if you just imported it. The module's namespace is not saved in the pickling process.
| >>> ModPickle = TrustedPickle.TPickle("module.tpk") >>> ModPickle.Pickle(glob) >>> ModPickle.Write() >>> ModGlob = ModPickle.Unpickle() >>> ModGlob.glob("module.*") ['module.tpk'] |
Note: TrustedPickle will only pickle a module if the module is passed directly to the Pickle() function. It will not pickle a tuple of modules. If you pickle a class instance that has a module as a member, for instance, Pickle() will only save a reference to the module's name, just like the standard pickle module does.