Newbie question - how to include the pass phrase in the command

Ping Kam pkam@quikcard.com
Thu Jun 5 17:48:01 2003


----- Original Message -----
From: "Steve Butler" <sbutler@fchn.com>
To: "'Ping Kam'" <pkam@quikcard.com>; <gnupg-users@gnupg.org>
Sent: Thursday, June 05, 2003 8:50 AM
Subject: RE: Newbie question - how to include the pass phrase in the command


> There are two ways to do this.  Both work for Windows or Unix.  But since
> I'm on Unix I'll show the Unix flavor and point out what I've heard about
> doing it on Windows.
>
Thanks.

> 1.  First, the easiest way.  Remove the pass phrase.  Well, since the pass
> phrase is going to be on the box anyway and somebody is likely to see it
> (especially when rooting around in the file system) why not make it easier
> on yourself.  No pass phrase is the #1 recommend solution for those who
need
> some sort of automated interface.
>
I have two question though.
First, how to remove the pass phrase?
Can I still sign the encyption?  I don't want to remove the pass phrase and
then find out that I can't sign the file without the pass phrase and now I
can't restore the pass phrase.

> 2.  Then, for folks like me <<grin>>, who must have to have that false
sense
> of at least trying to raise a roadblock, do some simple code encryption
that
> a mildly interested hacker could decode in two heartbeats but would stop
the
> casual observer.  (1's compliment, zip compression, hex dump, etc, or some
> combo of two or more) then feed it via the following mechanism:
>
>
>    my_decrypt < my_pass_file | gpg --homedir $homedir --passphrase-fd 0 \
>         --output "$3" --decrypt "$2"
>
>
> Now, I've heard piping in the above manner doesn't work on Windows and
that
> the passphrase-fd isn't a number but some DOS type file handle.  But, if
you
> were doing this on Unix (or Linux) that's the command line you'd use.
> Perhaps the Windows experts can clue you in on how the FD is formatted and
> handled in the Windows world.
>
I have got a script sample from a friend like this for windows

echo %1|gpg  --encrypt --output %2.asc --armour --recipient
our_own_userid --encrypt-to the_recipient_userid --passphrase-fd 0 %2

Then I can execute the cmd file like this
MyCmdFile MyPassphrase SourceFileName

What I find out that it will encrypt the file even without the pass phrase.
What I mean is the following will work
  echo |gpg  --encrypt --output %2.asc --armour --recipient
our_own_userid --encrypt-to the_recipient_userid --passphrase-fd 0 %2
then execute the cmd file without the passphrase parameter

But if I add the --sign option, in both case, then GPG will prompt me to
enter the passphrase.  If I call execute cmd file from a window apps, then
no file will be created.  Since GPG just run in the background, the user
can't see the command window to complete the encryption, and the process
will not terminated.  I can see one more instance added to the task manager
everytime I execute the cmd from a window app.

So how can I sign a file using the command line without any interaction with
GPG?

I hope I make it clear.

Thanks,
Ping Kam