Leigh S. Jones, KR6X kr6x@kr6x.com
Sat Apr 13 01:49:01 2002

To avoid forcing the user to put sensitive information onto the command line
(and thus compromising security due to the availability of commands such
as ps -ef or ps -aux on Unix/Linux systems that allow all users access to
command line contents) gpg accepts inputs that could be sensitive into
files, opening the files, and passing the file descriptors to the gpg
line as ASCII decimal integers.  The file descriptors could actually point
to an
open file or a memory buffer, but your ability to control read access to
disk files under Unix allows you to protect your sensitive data.

This could be used to protect your password, as in "gpg --passphrase ####
--status-fd #### -u [user] --batch --clearsign [filename]".  The file
#### that follows --status-fd gets the text from the gpg status messages
would be outputted to the screen otherwise.  You must have the file open
when you execute the command.

If you use file descriptors like the zero that you've illustrated below, you
usually indicating keyboard input.  Isn't it zero for keyboard (stdin), 1
screen output (stdout), 2 for error (stderr) on many machines?  When the
--command-fd 0 is indicated on the command line, it is usually being used
to allow the command line calling the batch file to pass the command,
something like putting in the password with:

echo [password] | gpg --passphrase 0 -u [user] -d [filename]

Of course, you'd only do this on a single user computer that will not other
users to view your password, like a home computer running Linux that
isn't connected to the network.

----- Original Message -----
From: "Rasoul Hajikhani" <rasoul@rhythm.com>
To: <gnupg-users@gnupg.org>
Sent: Friday, April 12, 2002 16:05
Subject: --command-fd

> Hello People,
> I am trying to delete a key pair from an Apache thread. Here is my
> command:
> gpg --homedir /usr/lsd/apache-ssl/htdocs/secureDB/PGP/.gnupg --no-tty
> --command-fd 0 --delete-secret-and-public-key testtwo@rhythm.com
> The documentation for gpg says that --command-fd should be used with
> --status-fd but fails to explain how. Can someone shed some light on
> this for me?
> Thanks in advance.
> -r
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users