On 12/23/20 1:56 PM, Oron Peled wrote:
More problematic, but possible.
The key is using "--pinentry-mode=loopback" (I don't have my scripts in front
of me for further details)
There are simple use cases that are very problematic.
Consider this:
[me@localhost tmp]$ date >date.txt
[me@localhost tmp]$ gpg --pinentry-mode=loopback -c date.txt ### this asks
for a passphrase
[me@localhost tmp]$ ls -l
total 8
-rw-rw-r-- 1 me me 32 Dec 24 16:59 date.txt
-rw-rw-r-- 1 me me 110 Dec 24 17:00 date.txt.gpg
[me@localhost tmp]$ rm date.txt
[me@localhost tmp]$ gpg --pinentry-mode=loopback date.txt.gpg ### this does
not ask!
gpg: WARNING: no command supplied. Trying to guess what you mean ...
gpg: AES encrypted data
gpg: encrypted with 1 passphrase
[me@localhost tmp]$ ls -l
total 8
-rw-rw-r-- 1 me me 32 Dec 24 17:00 date.txt
-rw-rw-r-- 1 me me 110 Dec 24 17:00 date.txt.gpg
that would be a very simple tutorial about symmetric encryption and it is
absolutely surprising, since decryption happens without any need to supply
the passphrase.
Because an agent was forked and it remembers the symmetric
passphrase I've used! Crazy.
So let's see if we can use --batch: using it on encryption conflicts with
pineentry,
using it on decryption doesn't disable the gpg-agent usage.
We should try to avoid the agent, let's see in the man page:
--use-agent
--no-use-agent
This is dummy option. gpg always requires the agent.
Wow, the option you want, but with a dummy implementation.
There is a --no-autostart, let's try it: more wasted time.
The use case I care about is for a script that reads some data
from an encrypted file, asking me the passphrase when necessary.
Something like:
token="$(gpg1 --output - secrets.gpg | grep ^token= | cut -d= -f2)"
# use $token
The passphrase should not be hardcoded in the script or remembered by
a magic gpg-agent forked behind my back.
My only solution has been:
dnf install gnupg1
Regards.
--
Roberto Ragusa mail at robertoragusa.it
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
