Re: (pre)cache password rather than use allow-loopback-pinentry

[Werner Koch]

On Sat, 29 Jul 2017 20:24, di...@webweaving.org said:

> Lovely. Is there any way one can suppress the fingerprint of the primary key 
> (as when doing line oriented things; bith the ’sec’ and ’ssb’ line are 
> followed by structurally identical ‘fpr’ lines)?

No.  You should use a simple state machine to process them: if you want
to get the fingerprints of the subkey, wait for "sub" or "ssb" and catch
the fpr or grp lines until you see another "sub" or "ssb" line.
Something like this:

awk -F: '$1 == "pub" || $1=="sec" {subseen=0; next}
  $1=="sub" || $1=="ssb" {subseen=1; next}
  $1=="fpr" && subseen {print $10}'


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpCgZYPCb3ZE.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: (pre)cache password rather than use allow-loopback-pinentry

[Dirk-Willem van Gulik]

On 21 Jul 2017, at 18:34, Werner Koch  wrote:
> 
> On Fri, 21 Jul 2017 11:37, di...@webweaving.org said:
> 
>> And I really would not mind to be able to refer to subkeys by number -and- 
>> fpr; as the fpr of a subkey is a but cumbersome to extract afaik (double 
>> —fingerprint).
> 
> Using the number with the quick commands is not a good idea because
> another process might have changed the keys in the meantime.  For
> --edit-key this is not a problem because you work on a copy and last
> save wins.  So I went with subkey fingerprints:
> 
>  --quick-set-expire fpr expire [*|subfprs]

Works absolutly spendlidly (tested in 2.1.22 on openbsd). And has made things 
much more robust with smart-card subkeys.

Thanks !

> Since some 2.1 version the fingerprints of the subkeys are always
> included when you do
> 
>  gpg --list-keys --with-colons

Lovely. Is there any way one can suppress the fingerprint of the primary key 
(as when doing line oriented things; bith the ’sec’ and ’ssb’ line are followed 
by structurally identical ‘fpr’ lines)?

Dw


signature.asc
Description: Message signed with OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: (pre)cache password rather than use allow-loopback-pinentry

[Werner Koch]

On Fri, 21 Jul 2017 10:05, di...@webweaving.org said:

> Thanks - that is a nice treasure trove you unearthed for me. Thanks !

Some examples are give at 

  https://gnupg.org/faq/whats-new-in-2.1.html#quickgen


> Ok - I’ll need to investigate as to why this does work for our setting (auto 
> renewal of expiry date of keys on chipcard (included below).

It works because we dod not introduce no new prompts and kept the order
of existing prompts.  As soon as we add new prompts, or change the
behaviour of e.g. --expert, your script will break.

> What I was hoping that there is a way to ‘trigger’ a ‘real’ pinentry request 
> by gpg-agent (and allowing it to cache the result for N seconds) prior to 
> going to gpg2 into command mode.  I.e. to warm up the cache.

That should be possible with gpg-preset-passphrase command.  See its man
page.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpgUh4prGO6j.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: (pre)cache password rather than use allow-loopback-pinentry

[Dirk-Willem van Gulik]

> On 21 Jul 2017, at 10:05, Dirk-Willem van Gulik  wrote:
> 
>>> And then let the batch.commands (which does a complex dance of subkey 
>>> renewal and some chip card shuffling) run against that ?
>> 
>> Please check wether some of the new --quick-foo commands can be helpful.
> 
> Thanks - that is a nice treasure trove you unearthed for me. Thanks !

Those —quick commands are a huge help. The one thing missing seems to be one 
for the routine extension of the expiry of subkeys.

Or is there a clever syntax for the ‘fpr of the primary key to refer to a 
subkey by number or otherwise (referring to it by fingerprint gives me a ‘ 
is not the primary fingerprint” ?

Kind regards,

Dw





signature.asc
Description: Message signed with OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: (pre)cache password rather than use allow-loopback-pinentry

[Dirk-Willem van Gulik]

> On 21 Jul 2017, at 08:46, Werner Koch  wrote:
> 
> On Thu, 20 Jul 2017 20:04, di...@webweaving.org said:
> 
>>  cat batch.commands | gpg2 --no-tty —batch —passphrase-XX XX 
>> --command-fd 0 --pinentry-mode loopback  …
> 
> This is not going to work.  --command-fd must always be used in
> conjunction with --status-fd so that a GET_foo status line output
> triggers input to the command fd descriptor.

Ok - I’ll need to investigate as to why this does work for our setting (auto 
renewal of expiry date of keys on chipcard (included below).

>> And then let the batch.commands (which does a complex dance of subkey 
>> renewal and some chip card shuffling) run against that ?
> 
> Please check wether some of the new --quick-foo commands can be helpful.

Thanks - that is a nice treasure trove you unearthed for me. Thanks !

>> Or to somehow use a pure TTY based pinentry in such a setting (it is an off 
>> line machine with barely more than a serial connection).
> 
> GnuPG has examples on how to write simple pinentries
> (/tests/fake-pinentries/).  Based on such an example and with the envvar
> PINENTRY_USER_DATA you can provide passphrases or PINs to gpg-agent.

So this we have working.

What I was hoping that there is a way to ‘trigger’ a ‘real’ pinentry request by 
gpg-agent (and allowing it to cache the result for N seconds) prior to going to 
gpg2 into command mode.  I.e. to warm up the cache.

As to rely as much as possible on the existing security of gpg-agent and its 
cache (cleanup) management.

Thanks,

Dw.

#!/bin/sh
set -e

PWFILE=${PWFILE:-passwd.txt}
DAYS=${DAYS:-120}


if [ $# != 1 ]; then
echo Syntax: $0 \ > /dev/stderr
exit 1
fi

if !  test -f $PWFILE; then
echo No pwd $PWFILE > /dev/stderr
exit 1
fi

KEYID=$1

cat <

signature.asc
Description: Message signed with OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users