The 0 in "--passphrase-fd 0" is the number of the file descriptor from which gpg will read the passphrase. In this case, 0, is stdin. Since you didn't attach stdin to a pipe or a file through redirection, stdin is still attached to your terminal. You aren't being "prompted" for your passphrase, gpg is just reading from your terminal (a pipe) which doesn't have any data to read until you type it in.

You can redirect stdin two ways, either a pipe:

$ cat passphrase_file | gpg --passphrase-fd 0 ...

or from the stdin redirection

$ gpg --passphrase-fd 0 ... < passphrase_file.

Reading from stdin doesn't necessarily mean it must come from a file. Your passphrase can come from a program that writes the passphrase to stdout:

$ my_agent | gpg --passphrase-fd 0 ...

And however "my_agent" securely stores your passphrase is left as an exercise to the reader (e.g database).


On Apr 17, 2007, at 8:27 AM, jane grove wrote:

Thanks, David.  I still have a question though:

In my script, I used the command
"gpg --batch --passphrase-fd 0 -d [INPUTFILE]"
to decrypt my "INPUTFILE".  When I run the script, it pauses and wait
for the passphrase.  If I enter the passphrase, the script goes
through well.  If I hit enter without the right passphrase, the script
complains about not having the right passphrase.

How can I run this script in silent mode, feed the passphrase to it
automatically?  I am trying not to interact with the script during its
running.

Thanks - Jane

On 4/14/07, David Shaw <[EMAIL PROTECTED]> wrote:
On Sat, Apr 14, 2007 at 10:23:24PM -0500, jane grove wrote:
Hello,
I am trying to use the GnuPG command "decrypt" in batch mode (i.e. in a script). When I use the option "--batch", I don't have a way to enter the user
id or passphrase.

Look at the --passphrase-fd, --passphrase-file, or --passphrase
options.  They are all in the manual, and can be used to provide a
passphrase during batch operation.

However, if you are including the passphrase in a script, it is worth
asking yourself if there is any security benefit in having a
passphrase-protected key at all.  After all, an attacker who gets
access to the script needs merely to read it to know the passphrase.

David


_______________________________________________
Gnupg-users mailing list
[email protected]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Gnupg-users mailing list
[email protected]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to