Option in gpg to copy STDIN to STDOUT instead of nowhere.

Andrew Gallagher andrewg at andrewg.com
Tue Dec 19 15:42:15 CET 2023


On 19 Dec 2023, at 13:53, Gilles LAMIRAL via Gnupg-devel <gnupg-devel at gnupg.org> wrote:
> 
> >> The command "gpg --decrypt" takes a file or STDIN as input and decrypts,
> >> tries to, the part between
> >> -----BEGIN PGP MESSAGE-----
> >> ...
> >> -----END PGP MESSAGE-----
> >> and also throws away every thing else.
> >
> > That's exactly what --decrypt is supposed to do. Try running gpg without
> > --decrypt.
> 
> 
> I tried gpg without --decrypt and the behavior is the same, STDIN is thrown away
> but the "-----PGP MESSAGE-----" block deciphered.
> 
> So, what is the option to get gpg reproducing STDIN to STDOUT?

Transparently decrypting inline messages opens you up to all sorts of smuggling attacks, where it is not clear from the output which parts of the message were encrypted or not. It is therefore not a good idea in general to implement this (see: efail).

However, if you have a specific use case that requires it, and you understand and accept the risk, you could try wrapping it in a loop like this (beware this is NOT TESTED):

while true; do
	IFS= read -r line
	while [[ $line != “-----BEGIN PGP MESSAGE-----” ]]; do
		echo “$line”
		IFS= read -r line
	done
	echo “<<<<<BEGIN DECRYPTED MESSAGE>>>>>"
	{
	while [[ $line != “-----END PGP MESSAGE-----” ]]; do
		echo “$line”
		IFS= read -r line
	done
	echo "$line"
	} | gpg --decrypt --batch --no-tty --passphrase=“$P" 2>/dev/null
	echo “<<<<<END DECRYPTED MESSAGE>>>>>"
done < mailbox.txt > decrypted-mailbox.txt

A

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20231219/d5346320/attachment.sig>


More information about the Gnupg-devel mailing list