Trouble automating gpg

Ryan Malayter rmalayter@bai.org
Fri Oct 12 16:45:01 2001 

After you move the secring.auto file to the test directory, you need to
rename it secring.gpg (which can get confusing), or use:
    gpg --homedir . --edit foo --secret-keyring secring.auto
When you want to edit the key to remove the pass phrase.

A necessary step left out of the FAQ, it seems.



:::Ryan Malayter, MCSE

:::Bank Administration Institute

:::Chicago, Illinois, USA



-----Original Message-----
From: Dailey,Nancy [mailto:nancy.dailey@gartner.com] 
Sent: Friday, October 12, 2001 8:29 AM
To: 'gnupg-users@gnupg.org'
Subject: Trouble automating gpg


I sent this message earlier.  Does anyone have any answers?

Nancy


> -----Original Message-----

> From:	Dailey,Nancy 

> Sent:	Tuesday, October 09, 2001 5:32 PM

> To:	'gnupg-users@gnupg.org'

> Subject:	Automate gpg

> 

> I followed the instructions below on how to use GnuPG in an automated 

> environment (from FAQ), then realized I had mistyped the email 

> address.  I tried to add a new userid with the correct email address, 

> and keep getting the message, "Secret keys not available".  I then 

> went back to the manual and read under "--export-secret-subkeys" that 

> "The second form of the command has the special property to render the 

> secret part of the primary key useless".  I am assuming this is the 

> problem, but I don't know what to do about it.  I was also not sure 

> what I was supposed to use for 'foo'.  I tried to use the short form 

> of the added key ID, but this did not work. We kept trying different 

> things until one worked, and I'm not sure what that was.

> 

> I really want to be able to automate this.  Can you tell me where I 

> went wrong and how I can automate signing the encrypted file?

> 

> Nancy Dailey

> 

> 

> 4.14) How can I use GnuPG in an automated environment?

> 

> You should use the option --batch and don't use pass phrases as there 

> is usually no way to store it more secure than the secret keyring 

> itself. The suggested way to create the keys for the automated 

> environment is:

> 

> On a secure machine:

> 

>    1.If you want to do automatic signing, create a signing subkey for 

> your key (edit menu, choose "addkey" and the DSA). [H

>      LI] Make sure that you use a passphrase (Needed by the current

> implementation) 

>    2.gpg --export-secret-subkeys --no-comment foo >secring.auto 

>    3.Copy secring.auto and the public keyring to a test directory. 

>    4.Cd to this directory. 

>    5.gpg --homedir . --edit foo and use "passwd" to remove the 

> pass-phrase from the subkeys. You may also want to

>      remove all unused subkeys. 

>    6.copy secring.auto to a floppy and carry it to the target box

> 

> On the target machine:

> 

>    1.Install secring.auto as secret keyring. 

>    2.Now you can start your new service. It is a good idea to install 

> some intrusion detection system so that you hopefully get

>      a notice of an successful intrusion, so that you in turn can 

> revoke all the subkeys installed on that machine and install new

>      subkeys. 	

> 

> 

> Nancy N. Dailey

> Senior Systems Analyst

> IS3 - Information Systems and Technology

> Gartner Group

> Phone  1-203-316-3418

> Fax      1-203-316-6490

> 

> 


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users