wheel / wheel /

"""Store and retrieve wheel signing / verifying keys.

Given a scope (a package name, + meaning "all packages", or - meaning 
"no packages"), return a list of verifying keys that are trusted for that 

Given a package name, return a list of (scope, key) suggested keys to sign
that package (only the verifying keys; the private signing key is stored

Keys here are represented as urlsafe_b64encoded strings with no padding.

Tentative command line interface:

# list trusts
wheel trust
# trust a particular key for all
wheel trust + key
# trust key for beaglevote
wheel trust beaglevote key
# stop trusting a key for all
wheel untrust + key

# generate a key pair
wheel keygen

# import a signing key from a file
wheel import keyfile

# export a signing key
wheel export key

import json
import dirspec.basedir
import os.path
from wheel.util import native

class WheelKeys(object):
    SCHEMA = 1
    def __init__(self): = {'signers':[], 'verifiers':[]}
    def load(self):
        # XXX JSON is not a great database
        for path in dirspec.basedir.load_config_paths('wheel'):
            conf = os.path.join(native(path), 'wheel.json')
            if os.path.exists(conf):
                with open(conf, 'r') as infile:
           = json.load(infile)
                    for x in ('signers', 'verifiers'):
                        if not x in
                  [x] = []
                    if 'schema' not in
              ['schema'] = self.SCHEMA
                    if['schema'] != self.SCHEMA:
                        raise ValueError(
                            "Bad wheel.json version {}, expected {}".format((
                      ['schema'], self.SCHEMA)))
        return self

    def save(self):
        # Try not to call this a very long time after load() 
        path = dirspec.basedir.save_config_path('wheel')
        conf = os.path.join(native(path), 'wheel.json')
        with open(conf, 'w+') as out:
            json.dump(, out, indent=2)
        return self
    def trust(self, scope, vk):
        """Start trusting a particular key for given scope."""['verifiers'].append({'scope':scope, 'vk':vk})
        return self
    def untrust(self, scope, vk):
        """Stop trusting a particular key for given scope."""['verifiers'].remove({'scope':scope, 'vk':vk})
        return self
    def trusted(self, scope=None):
        """Return list of [(scope, trusted key), ...] for given scope."""
        trust = [(x['scope'], x['vk']) for x in['verifiers'] if x['scope'] in (scope, '+')]
        trust.sort(key=lambda x: x[0])
        return trust
    def signers(self, scope):
        """Return list of signing key(s)."""
        sign = [(x['scope'], x['vk']) for x in['verifiers'] if x['scope'] in (scope, '+')]
        sign.sort(key=lambda x: x[0])
        return sign
    def add_signer(self, scope, vk):
        """Remember verifying key vk as being valid for signing in scope."""['signers'].append({'scope':scope, 'vk':vk})