On Fri 2019-11-08 02:10:48 -0500, Daniel Kahn Gillmor wrote: > + out:subprocess.CompletedProcess[bytes] = > subprocess.run(['gpg', '--decrypt'], > + > stdin=inp, > + > capture_output=True)
sigh. this line should have the '--batch' option added between 'gpg' and its command '--decrypt'. I can send you a revised patch, or you can feel free to fix it up yourself when applying. let me know if you'd prefer a revised patch. PS gpg(1) says: --batch --no-batch Use batch mode. Never ask, do not allow interactive commands. --no-batch disables this option. Note that even with a filename given on the command line, gpg might still need to read from STDIN (in particular if gpg figures that the input is a detached signature and no data file has been specified). Thus if you do not want to feed data via STDIN, you should connect STDIN to g‘/dev/null’. It is highly recommended to use this option along with the op‐ tions --status-fd and --with-colons for any unattended use of gpg. I am deliberately choosing to not use either --status-fd or --with-colons for email-print-mime-structure. I'm not using --with-colons because there is no output from GnuPG that we expect to be machine-readable -- we're just looking for the cleartext of whatever ciphertext is in the message part. I'm not using --status-fd because there is nothing actionable we can do with GnuPG status messages, and asking for them would require switching from subprocess.run to subprocess.Popen to take advantage of the pass_fds argument, which in turn would make the script only work in a POSIX environment (i believe, but have not tested, that the script can currently be used on Windows).
signature.asc
Description: PGP signature