Example of 'PINENTRY_USER_DATA which can fulfill the' (envpassphrase) 'task'?

[Bee via Gnupg-users]

At https://dev.gnupg.org/T4154 , 'allow setting passphrase from an
environment variable', there is a comment of "I don't see why we
should add yet more clumsy passphrase workarounds to gpg. We already
have PINENTRY_USER_DATA which can fulfill the same task."

Can anyone give an example of doing so?

I am looking to effect the equivalent of:
'@rem Get passhrase into (env.) var. programmatically (in your
favourite manner)'
'set /p myenvpassphrase="Enter symmetric keyphrase to use:"
'echo "Secret data" | gpg.exe -c --envpassphrase myenvpassphrase >
secretdata.gpg'
- thereby avoiding storing any passphrase (even temporarily) on a
storage medium, nor have it visible as the command line (via tasklist
or ps).
- in this case, the 'secret data' is actually confidential
information, piped from elsewhere, on the fly.

Of course, the '-envpassphrase' option doesn't exist in gpg currently,
but the comment at the above link indicates that there is another way
to effect the same intent.

Can anyone give an example of so doing?

A current means of effecting the same is, of course, '--passphase-fd
3", for something like:
'echo "Secret data" | gpg.exe -c --passphrase-fd 3 3< echo %PASSWORD%
> secretdata.gpg'
- except I have no idea [in (Win 10) DOS, not powershell, cmd] how to
get anything into file descriptor 3.
= let alone get an echo into fd 3 (without actually landing on a
filesystem, even temporarily).

Of course:
'echo "Secret data" | gpg.exe -c --passphrase > secretdata.gpg'
- doesn't work, as stdin can't be 'in two places at once', both
passphrase input, and data input.
= Remember, "Secret data" isn't on disk, either - it's being piped in, too.

Has anyone got a link to a working example of '3<' or
'PINENTRY_USER_DATA which can fulfill the same task' of gpg picking up
its passphrase from an environment variable?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fails signing key with Yubikey

[Werner Koch via Gnupg-users]

Hi!

> gpg -K --with-colon 20E0635864445A177F8F7C0C6141FD27892AE9B4 
> sec:u:255:22:6141FD27892AE9B4:1700197485:::u:::cESCA:::#::ed25519:::0: 

This is your primary key and it has been taken offline ..^.. marked by
the pound sign.  Only the primary key can be used to sign other keys.

> ssb:u:255:22:D0753D43F3C7A942:1700197520:1731733520:s:::D276000124010304000625017386::ed25519::

This is a signing subkey on a card with s/n *17386.

> ssb:u:255:18:90A11AD910FBE44E:1700197567:1731733567:e:::D276000124010304000625017386::cv25519::

This is an encryption subkey on a card with s/n *17386.

> ssb:u:255:22:3A7E3018D78FC26A:1700197579:1731733579:a:::D276000124010304000625017386::ed25519::

This is a authentication subkey on a card with s/n *17386.

You need to go the the machine where you have stored the private part of
the primary key.  Or get that key using its keygrip (see the "grp" line)
and put it into the ~/.gnupg/private-keys-v1.d/ directory.  But you
probably took the key offline for improved security and thus you better
don't re-import it and indeed use the other box for key signing.


Shalom-Salam,

   Werner


-- 
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein


openpgp-digital-signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fails signing key with Yubikey

[Ingo Klöcker]

On Donnerstag, 21. März 2024 08:22:48 CET Alexis via Gnupg-users wrote:
>  I'm trying to sign a secondary key with my yubikey, however it fails
> saying the private key is not found. I'm able to sign files with `--sign`,
> but am not able to use `--sign-key`.

Your Yubikey holds three keys:
* a signing key (corresponding to a sign-only subkey of your OpenPGP key)
> ssb:u:255:22:D0753D43F3C7A942:1700197520:1731733520:s:::D27600012401030
> 4000625017386::ed25519::
* an encryption key
> ssb:u:255:18:90A11AD910FBE44E:1700197567:1731733567:e:::D276000124010304
> 000625017386::cv25519::
* an authentication key
> ssb:u:255:22:3A7E3018D78FC26A:1700197579:1731733579:a:::D276000124010304
> 000625017386::ed25519::

None of those keys are suitable for certifying other keys because for this you 
need a certification key. Only the primary key of your OpenPGP key can be used 
for certifying.
> sec:u:255:22:6141FD27892AE9B4:1700197485:::u:::cESCA:::#::ed25519:::0:

Regards,
Ingo


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Fails signing key with Yubikey

[Alexis via Gnupg-users]

Dear GnuPG,

 I'm trying to sign a secondary key with my yubikey, however it fails 
saying the private key is not found. I'm able to sign files with `--sign`, but 
am not able to use `--sign-key`. This issue was posted about by someone else at 
https://dev.gnupg.org/T6411



```

gpg --version 
gpg (GnuPG) 2.4.5 
libgcrypt 1.10.3-unknown 
Copyright (C) 2024 g10 Code GmbH 
License GNU GPL-3.0-or-later  
This is free software: you are free to change and redistribute it. 
There is NO WARRANTY, to the extent permitted by law. 
 
Home: /home/alexis/.gnupg 
Supported algorithms: 
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA 
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, 
    CAMELLIA128, CAMELLIA192, CAMELLIA256 
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 
Compression: Uncompressed, ZIP, ZLIB, BZIP2
```


```

gpg -K --with-colon 20E0635864445A177F8F7C0C6141FD27892AE9B4 
sec:u:255:22:6141FD27892AE9B4:1700197485:::u:::cESCA:::#::ed25519:::0: 
fpr:20E0635864445A177F8F7C0C6141FD27892AE9B4: 
grp:1486B645AD4F1642BEDDA35BE0A03E24176B8736: 
uid:u1700197485::27E90DFEEB5D485431C85BC651668AB9FEC8A169::Alexis 
::0: 
ssb:u:255:22:D0753D43F3C7A942:1700197520:1731733520:s:::D276000124010304000625017386::ed25519::
 
fpr:13511F6F0880AABD07AA1035D0753D43F3C7A942: 
grp:A8919684010395C76A981BB322E13011DEA9E1CC: 
ssb:u:255:18:90A11AD910FBE44E:1700197567:1731733567:e:::D276000124010304000625017386::cv25519::
 
fpr:B5B4442C9A5104824B0F0DA390A11AD910FBE44E: 
grp:583172CF6C0231FD03CDFC174A081F13EA565480: 
ssb:u:255:22:3A7E3018D78FC26A:1700197579:1731733579:a:::D276000124010304000625017386::ed25519::
 
fpr:1B10245AA781FC2BDADB4BB93A7E3018D78FC26A: 
grp:C3F9CAF98B582FC5BD82862F27E008C713F8536F:
```



Thanks,

Alexis___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How can I have gpg pause to receive its passphrase, before it starts outputing decrypt to stdout?

[Jakob Bohm via Gnupg-users]

On 2024-03-19 00:01, Bee via Gnupg-users wrote:

However if you known the passphrase, you can pass it to gpg directly using 
--passphrase-file and --pinentry-mode=loopback.

I figured, but am trying to avoid having the passphrase land on disk at all.


Due to the way a pipe works there is not much you can do here.

Except (I would hope?) if gpg were to make sure nothing is written to
stdout until after passphrase was completely acquired, before
decrypting and writing the decrypt to sdtout, I don't expect less will
have cleared the screen to that point. [Less waits to clear screen,
etc., until after it receives something / anything at stdin. (?)]


You are using a Cygwin version of the standard shell here?

No, standard DOS prompt (Win 10). Just that cygwin is along the path.
(It's win jq, in this case, however.) [cygwin less.exe being quieter
and more functional than dos' more.exe.]


make sure that jq.exe gets its EPIPE from the failed gpg.exe.

(1) EPIPE? As in '2|' - that's a thing (in 'Win 10' dos)?

EPIPE is the C/POSIX error code a program receives when the pipe it
reads from ends.  In this case the ordinary stdout pipe. However the
Microsoft CMD.EXE supports a surprisingly large subset of Unixshell
options, but sometimes with slightly different syntax. Some but not
all ofthis is documented in the builtin help output such as cmd /?
and set /? etc.

However in this case the problem is that the shell, whichever you use,
will start the redirection to jq immediately, because the shell knows
nothing about gpg.exe or what part of its user interface to treat
specially.  Using a "pinentry-program" helper that prompts via the
Win32/X11 GUI is the official solution for such cases.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users