Thu, 13 Jan 2000 19:06:08 +0100
On Thu, 13 Jan 2000, Chuck Robey wrote:
> and pass the file containing the passphrase in via an option. I can't
> pass both the document to be signed and the passphrase in on stdin, and it
> would be much easier to pass in the document via stdin, so that it can be
> part of a pipe.
$ cat myfile | gpg --batch --sign --passphrase-fd 3 3<passwd_file \
> Is that possible to perform? Or must I delete the passphrase to get this
> action (I wouldn't want to do that, but it CAN'T be interactive).
IMO it does not make sense to have a passphrase on an automated
process when you have to put the passphrase in a file anyway.
An attacker who is able to get your secret keyring file will also
be able to get the passphrase file.
To better protect your primay key, I will add a feature which zeroes
out the secret part of the primary key from the keyring but leaves
the subkeys intact. You can then create a signing subkey and use this
one for the automated process. In case there is evidendence that
someone got the secret key, you have still a copy of the real one and
you are able to create revocation certificates for all the subkeys
while keeping your primary key and all it's certifications valid.
Werner Koch at guug.de www.gnupg.org keyid 621CC013
Boycott Amazon! - http://www.gnu.org/philosophy/amazon.html