gpg and cron

Henry Hertz Hobbit hhhobbit at securemecca.net
Tue Jun 5 02:59:24 CEST 2007 

Peter S. May wrote:

> 
> Arsha Bertie wrote:
>> i have been trying to run a script which encrypts and transfers files
>> between 2 branches, i am using gpg for encryption, i have written a bash
>> script and the script is working perfectly fine, but when i run it off a
>> cron it doesnt want to work. 
> 
> Are you also testing the command manually as root?  If not, you'll
> probably want to run the task from your own user instead (you can edit
> your own user's cron tasks by doing "crontab -e").
> 
>> 30 * * * * root /backup/encrypt.sh > /tmp/ab.log
>> ~
>>
>>
>> Thr log file /tmp/ab.log is created after the cron executes but it is an
> 
> If you're trying to get the errors, you need to redirect stderr (i.e.
> "2>"), not stdout (i.e., ">").  Try:
> 
> /backup/encrypt.sh 2> /tmp/ab.log
> 
> Good fortune
> PSM

I am sorry I didn't see this earlier.  I would have answered it
individually.  cron frequently gives your shell script a very
abbreviated PATH since almost nothing is sourced.  In fact it is
so abbreviated that on some systems it is only /bin and /usr/bin.
It varies depending on the system you are on and which shell you
are using. First try a testgpgpath.sh script via cron:

#!/bin/bash

SAVEHISTSIZE=${HISTSIZE}
HISTSIZE=0
export HISTSIZE

rm -f /tmp/cron.log
touch /tmp/cron.kog
echo default cron PATH is >> /tmp/cron.log 2>&1
echo $PATH >>  /tmp/cron.log 2>&1
echo >> /tmp/cron.log 2>&1

# just make sure the gpg version you are using is in the PATH first
PATH=/usr/local/bin:${PATH}:/usr/local/sbin ; export PATH
echo enhanced cron PATH is >> /tmp/cron.log 2>&1
echo $PATH >>  /tmp/cron.log 2>&1
echo >> /tmp/cron.log 2>&1

echo GPG version >> /tmp/cron.log 2>&1
gpg --version >> /tmp/cron.log 2>&1

HISTSIZE=${SAVEHISTSIZE}
export HISTSIZE

exit

The BASH you have may or may not do the history in the way I
mentioned but you probably don't want a history of the encryption
taking place even if you are encrypting to secret key and thus
don't need a password (the history MAY not be advisable, but the
password NOT being in the script IS advisable).

You can get a good idea of what to put where with a:

$ echo $PATH

Rather than adding as I did above, I SET the path in the script
so I know exactly what I have.  I also frequently specify the
path of the shell (in case you forget to give the file the
proper perms):

30 * * * * /bin/sh < /backup/encrypt.sh > /tmp/ab.log 2>&1

I don't know what the "root" is doing there.  If you want it to be
run by root, then login as root and do a "crontab -e" to enter the
information (be sure to set EDITOR to the editor of your choice).
Are you sure you want this done every 30 minutes? It seems like
something you would want done every 24 hours, and if that was done
at 3:30 every morning the line would be:

30 3 * * * /bin/sh < /backup/encrypt.sh > /tmp/ab.log 2>&1
0,15,30,45 * * * * /bin/sh < /backup/testgpgpath.sh > \
	/tmp/testgpgpath.log 2>&1

Don't forget to remove the testgpgpath.  The other thing is that
root usually doesn't have keys, but just copying the ones you
want to /root/.gnupg makes that possible.

HHH

More information about the Gnupg-users mailing list