automation

Werner Koch wk@gnupg.org
Thu, 13 Jan 2000 19:06:08 +0100


On Thu, 13 Jan 2000, Chuck Robey wrote:


> and pass the file containing the passphrase in via an option. I can't
> pass both the document to be signed and the passphrase in on stdin, and it
> would be much easier to pass in the document via stdin, so that it can be
> part of a pipe.
$ cat myfile | gpg --batch --sign --passphrase-fd 3 3<passwd_file \ | foo
> Is that possible to perform? Or must I delete the passphrase to get this
> action (I wouldn't want to do that, but it CAN'T be interactive).
IMO it does not make sense to have a passphrase on an automated process when you have to put the passphrase in a file anyway. An attacker who is able to get your secret keyring file will also be able to get the passphrase file. To better protect your primay key, I will add a feature which zeroes out the secret part of the primary key from the keyring but leaves the subkeys intact. You can then create a signing subkey and use this one for the automated process. In case there is evidendence that someone got the secret key, you have still a copy of the real one and you are able to create revocation certificates for all the subkeys while keeping your primary key and all it's certifications valid. -- Werner Koch at guug.de www.gnupg.org keyid 621CC013 Boycott Amazon! - http://www.gnu.org/philosophy/amazon.html