Sign without passphrase request

[Ryan Malayter]

Signing without propting for a password is not usually a good idea, since it
requires that the password be stored in the clear someplace, or stored with
reversible encryption. Not a very secure situation: it basically makes PGP's
security moot if the signing machine can be compromised in any way.

This topic is covered in the GnuPG FAQ. Basically, your best (and probably
most secure) bet is to remove the password from your private key entirely
for automated systems, and use a revokable subkey for signing in case the
machine is compromised.

See http://www.gnupg.org/faq.html, section 4.14.

If you want to pass a passphrase from another program to gpg, there is the
--passphrase-fd option, which is covered in the gpg.man documentation. For
example, you can pass a password to gpg from stdin by doing:

echo password|gpg -s -a --passphrase-fd 0 <inputfilename>

Watch your spaces with this... putting a space before the pipe causes your
password to be read incorrectly in some environments.

:::Ryan Malayter, MCSE
:::Bank Administration Institute
:::Chicago, Illinois, USA


> -----Original Message-----
> From: Jan Hanstede [mailto:cyberzult@gmx.net] 
> Sent: Wednesday, November 14, 2001 3:25 AM
> To: gnupg-users@gnupg.org
> Subject: Sign without passphrase request
> 
> 
> Hi,
> 
> How do I sign something with the commandline gpg tool without 
> getting a passphrase request? So I want to pass the 
> passphrase with the commandline options. I seem to be able to 
> encrypt a string without the passphrase by using:
> 
> echo jajajajaja | gpg -a --always-trust --batch 
> --no-secmem-warning -e -u user -r email@mail.com
> 
> However if I try to SIGN a message and replace the -e 
> (encrypting) by -s I
> get:
> 
> gpg: can't query password in batchmode
> gpg: skipped `user': bad passphrase
> gpg: signing failed: bad passphrase
> 
> Removing the batch option results in a passphrase request 
> which I can't handle cause I need to sign this within a (PHP) script.
> 
> Thanks!
>