Re: Newbie can't get --passphrase option to work

[Peter Lebbing]

On 16/05/17 13:31, Dan Kegel wrote:
> That wasn't my experience.  I used keys with no passphrase,
> and *still* had to use loopback (and jump through other hoops) to get
> gpg to work unattended.

I was talking about the things one usually does on a headless server,
which is decryption and data signatures. I'm unaware of this having any
issues, and I don't see you mention them in your referenced posts either.

I haven't ever heard unattended certifications being discussed, I don't
know if it is straightforward.

With regards to key management, this is often something a logged in
human user does and can hence do without having to wrestle unattended
stuff. I understand this doesn't always apply, but the OP here was
talking about decryption, not key management. That should be
straightforward.

When I say, by the way, that having no passphrase is better than using a
passphrase which is literally contained in a script, I'm saying that it
is usually better, not that it is always appropriate. It might be
appropriate to solve it in a different way, but a passphrase literally
in a script is probably not it.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie can't get --passphrase option to work

[Dan Kegel]

On Tue, May 16, 2017 at 12:31 AM, Peter Lebbing  wrote:
> You should also ask yourself what the purpose of the passphrase is other
> than to make your life difficult
> You should probably just remove the passphrase from the key. That way
> any decryption or signature will just succeed without jumping through
> hoops to pass the passphrase to GnuPG.

That wasn't my experience.  I used keys with no passphrase,
and *still* had to use loopback (and jump through other hoops) to get
gpg to work unattended.
https://lists.gnupg.org/pipermail/gnupg-users/2017-April/058158.html
https://lists.gnupg.org/pipermail/gnupg-users/2017-April/058162.html
describe my travails.  It was several days of learning curve.  In fairness,
I needed a solution that worked with all versions of gpg that shipped
with any LTS version of ubuntu, not just the current release, which
made things a bit harder.
- Dan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie can't get --passphrase option to work

[Peter Lebbing]

On 12/05/17 16:15, Ryk McDorman wrote:
> In the program I'm passing the output and input filenames as parameters to a 
> one-line batch file consisting of this command:
> echo | "C:\Program Files (x86)\gnuPG\bin\gpg.exe" --batch  
> --output %1  --passphrase-fd 0 --decrypt %2

You should also ask yourself what the purpose of the passphrase is other
than to make your life difficult. Your disk holds a file with an
encrypted private key as well as a file containing the plaintext
password. Why would an attacker that is able to access the encrypted
private key not also be able to access the PowerShell script with the
password? What purpose does the password serve in this scenario?

You should probably just remove the passphrase from the key. That way
any decryption or signature will just succeed without jumping through
hoops to pass the passphrase to GnuPG.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: Newbie can't get --passphrase option to work

[Ryk McDorman]

Kristian,

Thanks for the quick confirmation that I need to use --pinentry-mode loopback. 
I reviewed my program and found that I'd forgotten that I'd inserted an Exit 
statement (to troubleshoot something else), and that's what was causing only 
the first decryption to work. So, problem resolved!  Thanks again.

Ryk 

-Original Message-
From: Kristian Fiskerstrand [mailto:kristian.fiskerstr...@sumptuouscapital.com] 
Sent: Saturday, May 13, 2017 2:50 PM
To: Ryk McDorman <rmcd...@cobizfinancial.com>; gnupg-users@gnupg.org
Subject: RE: [EXT]:Newbie can't get --passphrase option to work

On 05/12/2017 04:15 PM, Ryk McDorman wrote:
> I've done a thorough search for a solution for this, but haven't come up with 
> much: a vague reference to a bug in 2.1.x that may have to do with it, and at 
> the end of my day yesterday I came across someone who used the 
> "--pinentry-mode loopback" option. Interestingly, when I add that to my 
> command, it DOES decrypt one file without prompting me, but then inexplicably 
> stops. (My program logic is fine, as without the -pinentry option, it prompts 
> me once for each file and decrypts each file.)  I haven't yet had time to 
> investigate that option; it's my next action but I've literally been working 
> on this for days now and needed to send out a plea for help!

And here you discuss it :p .. yes, pinentry-mode loopback is necessary for 2.1 
use of --passphrase-fd and the likes , in earlier versions of
2.1 this requires allow-pinentry-loopback for the gpg-agent but in recent 
versions that is defaulted to on.

Can you provide the information when this argument is used and the scenario 
that fails including explicit error messages?

--

Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk

Public OpenPGP keyblock at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 
5109 5618 35AA 0B7F 8B60 E3ED FAE3

Amantes sunt amentes
Lovers are lunatics

CONFIDENTIALITY NOTICE:

This e-mail contains confidential information and is intended only for the 
individual named. If you are not the named addressee, you should not 
disseminate, distribute or copy this e-mail. Please notify the sender 
immediately if you have received this e-mail by mistake and delete this 
e-mail from your system. E-mail cannot be guaranteed to be secure or 
error-free as information could be intercepted, corrupted, lost, 
destroyed, arrive late or incomplete, or contain viruses. Neither the 
sender nor CoBiz Financial and its subsidiaries accept liability for any 
errors or omissions in the contents of this message which arise as a 
result of e-mail transmission.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie can't get --passphrase option to work

[Dan Kegel]

Did you see my walkthrough of all the problems I ran into while
getting gpg to not prompt?

https://lists.gnupg.org/pipermail/gnupg-users/2017-April/058158.html
https://lists.gnupg.org/pipermail/gnupg-users/2017-April/058162.html

That's for Linux, but it might still have a trick you're missing.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie can't get --passphrase option to work

[Kristian Fiskerstrand]

On 05/12/2017 04:15 PM, Ryk McDorman wrote:
> I've done a thorough search for a solution for this, but haven't come up with 
> much: a vague reference to a bug in 2.1.x that may have to do with it, and at 
> the end of my day yesterday I came across someone who used the 
> "--pinentry-mode loopback" option. Interestingly, when I add that to my 
> command, it DOES decrypt one file without prompting me, but then inexplicably 
> stops. (My program logic is fine, as without the -pinentry option, it prompts 
> me once for each file and decrypts each file.)  I haven't yet had time to 
> investigate that option; it's my next action but I've literally been working 
> on this for days now and needed to send out a plea for help!

And here you discuss it :p .. yes, pinentry-mode loopback is necessary
for 2.1 use of --passphrase-fd and the likes , in earlier versions of
2.1 this requires allow-pinentry-loopback for the gpg-agent but in
recent versions that is defaulted to on.

Can you provide the information when this argument is used and the
scenario that fails including explicit error messages?

-- 

Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk

Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

Amantes sunt amentes
Lovers are lunatics



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Newbie can't get --passphrase option to work

[Kristian Fiskerstrand]

On 05/12/2017 04:15 PM, Ryk McDorman wrote:
> I was tasked with automating the decryption (and more) of files, so I've 
> written a PowerShell program that does everything I need it to do, except 
> that I can't get the decryption to decrypt without prompting for our 
> passphrase. I'm using a default installation of GnuPG 2.1.19 on Windows 7 (it 
> may go on a Win Server 2012 box for production). 

look into --pinentry-mode loopback

-- 

Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk

Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

Amantes sunt amentes
Lovers are lunatics



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Newbie can't get --passphrase option to work

[Ryk McDorman]

I was tasked with automating the decryption (and more) of files, so I've 
written a PowerShell program that does everything I need it to do, except that 
I can't get the decryption to decrypt without prompting for our passphrase. I'm 
using a default installation of GnuPG 2.1.19 on Windows 7 (it may go on a Win 
Server 2012 box for production). 

In the program I'm passing the output and input filenames as parameters to a 
one-line batch file consisting of this command:
echo | "C:\Program Files (x86)\gnuPG\bin\gpg.exe" --batch  
--output %1  --passphrase-fd 0 --decrypt %2

I've also tried the -passphrase-file and -passphrase  options 
with the same results: when the program runs I'm prompted to enter the 
passphrase. 

I've done a thorough search for a solution for this, but haven't come up with 
much: a vague reference to a bug in 2.1.x that may have to do with it, and at 
the end of my day yesterday I came across someone who used the "--pinentry-mode 
loopback" option. Interestingly, when I add that to my command, it DOES decrypt 
one file without prompting me, but then inexplicably stops. (My program logic 
is fine, as without the -pinentry option, it prompts me once for each file and 
decrypts each file.)  I haven't yet had time to investigate that option; it's 
my next action but I've literally been working on this for days now and needed 
to send out a plea for help!

I'm a total GPG newbie here, so, as they say on Reddit "Explain like I'm 5."  
Thanks!

Ryk 

CONFIDENTIALITY NOTICE:

This e-mail contains confidential information and is intended only for the 
individual named. If you are not the named addressee, you should not 
disseminate, distribute or copy this e-mail. Please notify the sender 
immediately if you have received this e-mail by mistake and delete this 
e-mail from your system. E-mail cannot be guaranteed to be secure or 
error-free as information could be intercepted, corrupted, lost, 
destroyed, arrive late or incomplete, or contain viruses. Neither the 
sender nor CoBiz Financial and its subsidiaries accept liability for any 
errors or omissions in the contents of this message which arise as a 
result of e-mail transmission.



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users