Re: How can I have gpg pause to receive its passphrase, before it starts outputing decrypt to stdout?
Bee via Gnupg-users wrote: However if you known the passphrase, you can pass it to gpg directly using --passphrase-file and --pinentry-mode=loopback. I figured, but am trying to avoid having the passphrase land on disk at all. Could you set up a RAM disk for this? (I think Windows still has those, but it has been a few years since I have used Windows any significant amount.) -- Jacob ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How can I have gpg pause to receive its passphrase, before it starts outputing decrypt to stdout?
> However if you known the passphrase, you can pass it to gpg directly using > --passphrase-file and --pinentry-mode=loopback. I figured, but am trying to avoid having the passphrase land on disk at all. > Due to the way a pipe works there is not much you can do here. Except (I would hope?) if gpg were to make sure nothing is written to stdout until after passphrase was completely acquired, before decrypting and writing the decrypt to sdtout, I don't expect less will have cleared the screen to that point. [Less waits to clear screen, etc., until after it receives something / anything at stdin. (?)] > You are using a Cygwin version of the standard shell here? No, standard DOS prompt (Win 10). Just that cygwin is along the path. (It's win jq, in this case, however.) [cygwin less.exe being quieter and more functional than dos' more.exe.] > make sure that jq.exe gets its EPIPE from the failed gpg.exe. (1) EPIPE? As in '2|' - that's a thing (in 'Win 10' dos)? (2) gpg has not failed here. I guess the issue is also gpg displaying prompt, also confusing less. I will have to try 'gpg.exe -d somefile.gpg < con: 2> nul: | jq.exe | less', or something like. Curious that '( gpg.exe -d somefile.gpg | jq.exe ) | less' displays sufficiently well - I'm guessing I'm just getting lucky with (sub-shell?) delays, giving things time to display. On Mon, Mar 18, 2024 at 9:55 AM Werner Koch wrote: > > On Sat, 16 Mar 2024 21:26, B.S. said: > > ... (Windows 10) [DOS] cmd ... [*NOT* powershell] > > ... cygwin gpg ... > > [Do not use a Cygwin build of gpg - this is not supported. Use a > standard build for WIndows.] > > > How can I have gpg pause to receive its passphrase, before it starts > > outputing decrypt to stdout? > > Due to the way a pipe works there is not much you can do here. Except > for having some kind buffering tool in between. Howeverm if you known > the passphrase, you can pass it to gpg directly using --passphrase-file > and --pinentry-mode=loopback. > > > So if gpg could finish getting its passphrase from 'readline' before > > opening stdout (that less then sees to clear the screen and open its > > The pipeline is constructed by the shell (cmd.exe) and file descriptors > are given to the programs. There is nothing any of the programs can do > here. In fact when using a pipeline in this way, the next program in > the line should be able to handle the output of the former which means > it will expect valid output. > > > So far: > > ( gpg.exe -d somefile.gpg | jq.exe ) | less > > You are using a Cygwin version of the standard shell here? In this case > make sure that jq.exe gets its EPIPE from the failed gpg.exe. > > You may consider to use gpgme-json as a higher level API to gpg. But of > course it does not work the usual way in a pipe. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
How can I 'echo' into fd 3 to be able to use it on a gpg cmd line?
... (Windows 10) [DOS] cmd ... [*NOT* powershell] ... cygwin gpg ... How can I 'echo' into fd 3 to be able to use it on a gpg cmd line? e.g. 'echo "Secret data" | gpg.exe -c -passphrase-fd 3 3< echo %PASSWORD%' [Ignore the need, or not, for --batch and/or --pinentry-mode loopback, I can wrestle with those separately.] (I am trying to avoid the passphrase from appearing in cleartext within tasklists, etc.) I am working on a BitWarden(-cli) backup script. So the 'echo "Secret data"' above is actually something like: bitwarden-cli --export json | gpg -c ... >...bitwarden_backup.json.pgp - the hangup seems to be how to echo into 3< to be able to use it as input, for ' -passphrase-fd 3'. [Or 7< echo %PASSWORD%, for that matter - it seems powershell uses 3-6 for stdwarn|verbose|debug|info, and probably best to avoid potential future conflicts.] ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How can I have gpg pause to receive its passphrase, before it starts outputing decrypt to stdout?
> However if you known the passphrase, you can pass it to gpg directly using > --passphrase-file and --pinentry-mode=loopback. I figured, but am trying to avoid having the passphrase land on disk at all. > Due to the way a pipe works there is not much you can do here. Except (I would hope?) if gpg were to make sure nothing is written to stdout until after passphrase was completely acquired, before decrypting and writing the decrypt to sdtout, I don't expect less will have cleared the screen to that point. [Less waits to clear screen, etc., until after it receives something / anything at stdin, IIRC.] > You are using a Cygwin version of the standard shell here? No, standard DOS prompt (Win 10). Just that cygwin is along the path. (It's win jq, in this case, however.) [cygwin less.exe being quieter and more functional than dos' more.exe.] > make sure that jq.exe gets its EPIPE from the failed gpg.exe. (1) EPIPE? As in '2|' - that's a thing (in 'Win 10' dos)? (2) gpg has not failed here. I guess the issue is also gpg displaying prompt, also confusing less. I will have to try 'gpg.exe -d somefile.gpg < con: 2> nul: | jq.exe | less', or something like. Curious that '( gpg.exe -d somefile.gpg | jq.exe ) | less' displays sufficiently well - I'm guessing I'm just getting lucky with (sub-shell?) delays, giving things time to display. On Mon, Mar 18, 2024 at 9:58 AM Werner Koch via Gnupg-users wrote: > > On Sat, 16 Mar 2024 21:26, B.S. said: > > ... (Windows 10) [DOS] cmd ... [*NOT* powershell] > > ... cygwin gpg ... > > [Do not use a Cygwin build of gpg - this is not supported. Use a > standard build for WIndows.] > > > How can I have gpg pause to receive its passphrase, before it starts > > outputing decrypt to stdout? > > Due to the way a pipe works there is not much you can do here. Except > for having some kind buffering tool in between. Howeverm if you known > the passphrase, you can pass it to gpg directly using --passphrase-file > and --pinentry-mode=loopback. > > > So if gpg could finish getting its passphrase from 'readline' before > > opening stdout (that less then sees to clear the screen and open its > > The pipeline is constructed by the shell (cmd.exe) and file descriptors > are given to the programs. There is nothing any of the programs can do > here. In fact when using a pipeline in this way, the next program in > the line should be able to handle the output of the former which means > it will expect valid output. > > > So far: > > ( gpg.exe -d somefile.gpg | jq.exe ) | less > > You are using a Cygwin version of the standard shell here? In this case > make sure that jq.exe gets its EPIPE from the failed gpg.exe. > > You may consider to use gpgme-json as a higher level API to gpg. But of > course it does not work the usual way in a pipe. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How can I have gpg pause to receive its passphrase, before it starts outputing decrypt to stdout?
On Sat, 16 Mar 2024 21:26, B.S. said: > ... (Windows 10) [DOS] cmd ... [*NOT* powershell] > ... cygwin gpg ... [Do not use a Cygwin build of gpg - this is not supported. Use a standard build for WIndows.] > How can I have gpg pause to receive its passphrase, before it starts > outputing decrypt to stdout? Due to the way a pipe works there is not much you can do here. Except for having some kind buffering tool in between. Howeverm if you known the passphrase, you can pass it to gpg directly using --passphrase-file and --pinentry-mode=loopback. > So if gpg could finish getting its passphrase from 'readline' before > opening stdout (that less then sees to clear the screen and open its The pipeline is constructed by the shell (cmd.exe) and file descriptors are given to the programs. There is nothing any of the programs can do here. In fact when using a pipeline in this way, the next program in the line should be able to handle the output of the former which means it will expect valid output. > So far: > ( gpg.exe -d somefile.gpg | jq.exe ) | less You are using a Cygwin version of the standard shell here? In this case make sure that jq.exe gets its EPIPE from the failed gpg.exe. You may consider to use gpgme-json as a higher level API to gpg. But of course it does not work the usual way in a pipe. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein openpgp-digital-signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent "forgetting" keys when getting many parallel requests
On Mon Mar 18, 2024 at 09:50, Werner Koch wrote: > On Sun, 17 Mar 2024 13:09, Bence Ferdinandy said: > > > running out of memory. Based on a discussion I found > > (https://dev.gnupg.org/T4255), I set `auto-expand-secmem 100M` in > > Right. The man page says: > > --auto-expand-secmem n > >Allow Libgcrypt to expand its secure memory area as required. >The optional value n is a non-negative integer with a suggested >size in bytes of each additionally allocated secure memory area. >The value is rounded up to the next 32 KiB; usual C style >prefixes are allowed. For an heavy loaded gpg-agent with many >concurrent connection this option avoids sign or decrypt errors >due to out of secure memory error returns. > > You should not append the 'M' - it is simply ignored. That is a bug in > the option parser but we can't fix that because it would break too many > configs which falsely assume that a letter can be used for some kind of > unit. > > The value is actually irrelevant becuase any value will enable the > auto-expand behaviour. Larger chunks can make maneory allocation a biut > faster because every free() call needs to check the linked list of > secure memory pools. I am not sure whetehr this is measurable, though. Thanks for the clarification! Best, Bence ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Feature Request: 64-bit Windows Support for GnuPG
Hi! and thanks for asking. On Sun, 17 Mar 2024 11:29, pal said: > I am writing to express my strong interest in a 64-bit version of GnuPG for > Windows. While I understand that currently only 32-bit systems (x86) are > officially supported, I believe adding 64-bit compatibility would be a > valuable improvement for many users. Sure. In particular servers are sometimes installed w/o 32 bit support. GnuPG 2.6 will come as 64 bit Windows binary. A first beta is planned for this sommer. See https://dev.gnupg.org/T6508 for the status. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein openpgp-digital-signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent "forgetting" keys when getting many parallel requests
On Sun, 17 Mar 2024 13:09, Bence Ferdinandy said: > running out of memory. Based on a discussion I found > (https://dev.gnupg.org/T4255), I set `auto-expand-secmem 100M` in Right. The man page says: --auto-expand-secmem n Allow Libgcrypt to expand its secure memory area as required. The optional value n is a non-negative integer with a suggested size in bytes of each additionally allocated secure memory area. The value is rounded up to the next 32 KiB; usual C style prefixes are allowed. For an heavy loaded gpg-agent with many concurrent connection this option avoids sign or decrypt errors due to out of secure memory error returns. You should not append the 'M' - it is simply ignored. That is a bug in the option parser but we can't fix that because it would break too many configs which falsely assume that a letter can be used for some kind of unit. The value is actually irrelevant becuase any value will enable the auto-expand behaviour. Larger chunks can make maneory allocation a biut faster because every free() call needs to check the linked list of secure memory pools. I am not sure whetehr this is measurable, though. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein openpgp-digital-signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
