Re: Automatically changing/removing key passphrase: python-pgp_passtool
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello again! Since GnuPG appears to be designed not to handle this use-case, I wrote a tool (a Python 2/3 library) to solve my problem: https://github.com/BjarniRunar/python-pgp_passtool It's also in PyPI, so `pip install pgp_passtool` should work. To sum up: this is a tool for changing the passphrase on a secret key, or removing the passphrase entirely. It can be used from the shell, or from within Python code. It is my hope that this will help folks like myself who need a level of automation, but don't want just use unprotected keys all the time. The tool has some support for coping with unusual character encodings, and also allows the user to specify they want fast (insecure) key derivation, for when we know the passphrase is already very strong. It's not a complete implementation, it's not well tested. There are probably many keys out there which it cannot handle. So, I very much welcome comments and bug reports and pull requests, either here or in the issue tracker. Cheers, - Bjarni - -- PageKite.net lets your personal computer be part of the web -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEETBSz4pzXkOHlSFMhjgA3FgDPlJEFAl20bG0ACgkQjgA3FgDP lJHIDQf/YCDzxEuoyAA9IM6zkoE+371sDjzarvO1iK1MqUn+MXE6IrQBkjLEqaFh Y7toab2ZBU0n4CIObCX18qtNg9eMbPqRc9Zwb8e/GbwmI2VqUNteYGzUzIUSxvg6 3/p6Aw/eiTqJyujfYFNUOUrNmYPeujaKvmbm13nsf4/gnW/mlYs7UlYUmsGcTuQH NUOekRuvSra9UqNRq3SndWyuQYmdlv1k6PfccB+FMzQROCofVDOXwUmk2FiEMXRl KHHLkrCqujzqllnrQ/YD5qNcsEODyLxbtw1F4TwSDX539ejvgKp0YSXC3GUAh4Yj EMh1S+CK8HTiyCLNUjO6lCAffnTaGA== =6ENQ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Automatically changing/removing key passphrase
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello GnuPG users! Background: I'm working a bit on Mailpile's Autocrypt support these days. Mailpile creates OpenPGP keys for its users, which are protected by a strong passphrase, but generally manages those passphrases on the user's behalf to guarantee a seamless user experience. I don't want my users to be locked in to Mailpile, and I wanted to implement the Autocrypt Setup Message (ASM) spec so users had a standardized, semi-automated way to migrate their keys from Mailpile to another mail agent. For better or worse, the ASM defines a password protection scheme for the key material which is different from a passphrase on the key itself. So when syncing the keys, I need to remove the passphrase. I cannot figure out an elegant way to do this using GnuPG or GPGME. The GPGME manual's "Changing Passphrases" section 7.5.10 states: "The backend engine will usually popup a window to ask for the old and the new passphrase. Thus this function is not useful in a server application (where passphrases are not required anyway)." I guess from the point of view of GnuPG and GPGME, Mailpile is behaving like a server application. But I would still rather not store the secret keys unprotected, so I need an automated way to manage the key's passphrase. How do I square this circle? Any hints on how to automatically remove the passphrase using gnupg without direct user interaction? A Google search showed that this is a question that comes up every now and then, but I have only seen manual procedures for resolving it. Is this perhaps a feature which should be added? Thanks in advance, - Bjarni - -- PageKite.net lets your personal computer be part of the web -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEETBSz4pzXkOHlSFMhjgA3FgDPlJEFAl2wDukACgkQjgA3FgDP lJFCYAf/R+mKR92lZN5kaE5d81cP2oGqJ8AGuWzTulI42LubyRezoAg939OVijwo 2+sVcqL2Xk8uPBtu+gq+/ZvN31NuG1PfEE35s4+G4n4YqkLx+NC18HCffuMJ+515 unjHmrQ+ID08kbp/xQNE/jqXqFDTGUo25pGlSI4ecqZumtkK9SBEI9JSsW0jR11L N/SC9JXh2ksD2j9azYKsbj9fgDO+8Lg2vXpaWTjv+BFe1vKaDfQzGw7DSUVtzsD4 PT8HlFvWucUmhGv5A7SKUWEMG4VC7J33YjPK5KMe8TCBA+agmRw93JMiVPVUEzaw 8iFw9haK8zQawgYmC9Ja/qI9CuohyA== =Cpmt -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
