On Fri 2019-11-08 02:10:48 -0500, Daniel Kahn Gillmor wrote: > + out:subprocess.CompletedProcess[bytes] = > subprocess.run(['gpg', '--decrypt'], > + > stdin=inp, > + > capture_output=True)
sigh. this line should have the '--batch' option added between 'gpg'
and its command '--decrypt'. I can send you a revised patch, or you can
feel free to fix it up yourself when applying. let me know if you'd
prefer a revised patch.
PS gpg(1) says:
--batch
--no-batch
Use batch mode. Never ask, do not allow interactive commands.
--no-batch disables this option. Note that even with a filename
given on the command line, gpg might still need to read from
STDIN (in particular if gpg figures that the input is a detached
signature and no data file has been specified). Thus if you do
not want to feed data via STDIN, you should connect STDIN to
g‘/dev/null’.
It is highly recommended to use this option along with the op‐
tions --status-fd and --with-colons for any unattended use of
gpg.
I am deliberately choosing to not use either --status-fd or
--with-colons for email-print-mime-structure.
I'm not using --with-colons because there is no output from GnuPG that
we expect to be machine-readable -- we're just looking for the cleartext
of whatever ciphertext is in the message part.
I'm not using --status-fd because there is nothing actionable we can do
with GnuPG status messages, and asking for them would require switching
from subprocess.run to subprocess.Popen to take advantage of the
pass_fds argument, which in turn would make the script only work in a
POSIX environment (i believe, but have not tested, that the script can
currently be used on Windows).
signature.asc
Description: PGP signature
