automation
Werner Koch
wk@gnupg.org
Thu, 13 Jan 2000 19:06:08 +0100
On Thu, 13 Jan 2000, Chuck Robey wrote:
> and pass the file containing the passphrase in via an option. I can't
> pass both the document to be signed and the passphrase in on stdin, and it
> would be much easier to pass in the document via stdin, so that it can be
> part of a pipe.
$ cat myfile | gpg --batch --sign --passphrase-fd 3 3<passwd_file \
| foo
> Is that possible to perform? Or must I delete the passphrase to get this
> action (I wouldn't want to do that, but it CAN'T be interactive).
IMO it does not make sense to have a passphrase on an automated
process when you have to put the passphrase in a file anyway.
An attacker who is able to get your secret keyring file will also
be able to get the passphrase file.
To better protect your primay key, I will add a feature which zeroes
out the secret part of the primary key from the keyring but leaves
the subkeys intact. You can then create a signing subkey and use this
one for the automated process. In case there is evidendence that
someone got the secret key, you have still a copy of the real one and
you are able to create revocation certificates for all the subkeys
while keeping your primary key and all it's certifications valid.
--
Werner Koch at guug.de www.gnupg.org keyid 621CC013
Boycott Amazon! - http://www.gnu.org/philosophy/amazon.html