Automated importing of keys

Neil Williams linux at
Thu Jan 29 13:52:15 CET 2004

On Wednesday 28 Jan 2004 10:48 pm, Derek S. Graham wrote:
> Hello-
> I am working on a project where we are using GPG in an automated
> environment to pull encrypted files from a DMZ server and automatically
> decrypt them and move them to a specified location.  All this is working
> fine.  The problem I have is I need a script (Perl) that an administator

There is a Perl module that can interface directly with GnuPG. It can retrieve 
public keys from the keyserver specified in the .gnupg/gpg.conf or 
.gnupg/options file with or without the auto-key-retrieve option. Just 
install GnuPG::Interface from CPAN, set the correct <path> in the $homedir 
variable and populate the @keylist array.

#!/usr/bin/perl -w
use IO::Handle;
use GnuPG::Interface;
use strict;
my $homedir = "/home/<path>/.gnupg";
my $gnupg;
my $input   = IO::Handle->new();
my $error   = IO::Handle->new();
my $output  = IO::Handle->new();
my $encrypthandles = GnuPG::Handles->new( stdin  => $input,
	stdout => $output, stderr => $error );
my $pid;
my @keylist;
my $idlist;
my @ciphertext;
$gnupg = GnuPG::Interface->new();
$gnupg->options->hash_init( armor => 1, homedir => $homedir );
$gnupg->options->meta_interactive( 0 );
# ===============================================
# Update the keys in the @keylist array in the local keyring
foreach $idlist (@keylist) {
$pid = $gnupg->recv_keys( handles => $encrypthandles,
	command_args => "$idlist" );
@ciphertext = <$error>;
close $output;
close $error;
waitpid $pid, 0;

That's a snippet from a working script - it should work unless I've 
inadvertently omitted a line in the (more complex) original script.

Rather than running this manually, if you use apache or some other process 
that already runs as the specified user, Perl will behave in the same 
environment. e.g. you could run it as a .pl file in a cgi-bin or as a cron 
task or directly from the application (or one of it's supporting scripts). 
The public key ID strings (in my case) are held in MySQL which makes it 
simplicity itself to update the list. The script/application/cron can take 
care of the rest. MySQL can cope easily with only allowing access to the 
relevant table to certain users.

Ain't open source great!


Neil Williams
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: signature
Url : /pipermail/attachments/20040129/400bae62/attachment.bin

More information about the Gnupg-users mailing list