--gen-revoke in batch

Meenal Pant mpant at ncsa.uiuc.edu
Tue Apr 29 18:09:35 CEST 2008 

Based on Werner's suggestion, I have a test script now to create
revocation certificates.

I use this command in the script:
gpg -a -o "rev.asc"  --command-fd 0 --status-fd 2 --gen-revoke 409900FC

The responses entered by the script are all strings followed by an LF.

The output is as follows:
....
[GNUPG:] GOT_IT
Reason for revocation: Key has been compromised
(No description given)
[GNUPG:] GET_BOOL ask_revocation_reason.okay
y
[GNUPG:] GOT_IT
[GNUPG:] USERID_HINT 90FBD027409900FC Testkey (test) <xxx at yyy.uiuc.edu>
[GNUPG:] NEED_PASSPHRASE 90FBD027409900FC 90FBD027409900FC 17 0

You need a passphrase to unlock the secret key for
user: "Testkey (test) <xxx at yyy.uiuc.edu>"
1024-bit DSA key, ID 409900FC, created 2008-04-17

[GNUPG:] GET_HIDDEN passphrase.enter
revokekey
[GNUPG:] GOT_IT

[GNUPG:] BAD_PASSPHRASE 90FBD027409900FC

gpg: Invalid passphrase; please try again ...
[GNUPG:] USERID_HINT 90FBD027409900FC Testkey (test) <xxx at yyy.uiuc.edu>
[GNUPG:] NEED_PASSPHRASE 90FBD027409900FC 90FBD027409900FC 17 0

You need a passphrase to unlock the secret key for
user: "Testkey (test) <xxx at yyy.uiuc.edu>"
1024-bit DSA key, ID 409900FC, created 2008-04-17

[GNUPG:] GET_HIDDEN passphrase.enter
revokekey
[GNUPG:] GOT_IT
[GNUPG:] MISSING_PASSPHRASE

[GNUPG:] BAD_PASSPHRASE 90FBD027409900FC
gpg: Invalid passphrase; please try again ...
[GNUPG:] USERID_HINT 90FBD027409900FC Testkey (test) <xxx at yyy.uiuc.edu>
[GNUPG:] NEED_PASSPHRASE 90FBD027409900FC 90FBD027409900FC 17 0

Now when I run the same command on command line it works and a
revocation certificate is created.
...
Correct
y
[GNUPG:] GET_BOOL ask_revocation_reason.okay
y
[GNUPG:] GOT_IT
[GNUPG:] USERID_HINT 90FBD027409900FC Testkey (test) <xxx at yyy.uiuc.edu>
[GNUPG:] NEED_PASSPHRASE 90FBD027409900FC 90FBD027409900FC 17 0

You need a passphrase to unlock the secret key for
user: "Testkey (test) <xxx at yyy.uiuc.edu>"
1024-bit DSA key, ID 409900FC, created 2008-04-17

[GNUPG:] GET_HIDDEN passphrase.enter
revokekey
[GNUPG:] GOT_IT

[GNUPG:] GOOD_PASSPHRASE

ASCII armored output forced.
File `rev.asc' exists.
[GNUPG:] GET_BOOL openfile.overwrite.okay
y
[GNUPG:] GOT_IT
[GNUPG:] GOOD_PASSPHRASE
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable.  But have some caution:  The print system of
your machine might store the data and make it available to others!


Any idea why entering the passphrase as a string in the script is not
working ?

Thanks
Meenal


Werner Koch wrote:
> On Thu, 17 Apr 2008 20:28, mpant at ncsa.uiuc.edu said:
> 
>>>   $ gpg2 --status-fd 2  --command-fd 0 --gen-revoke joe
>> I guess I can use gpg here ?
> 
> Yes.
> 
>>>   [GNUPG:] GET_BOOL gen_revoke.okay
>> Are these commands generated by GPG ?
> 
> The option --status-fd N generates them and writes the to the file
> descriptor N (in the example 2 = stderr), you may want to use 1 for stdout.
> 
> 
>> What is FSM ? Finite State Machine. How can I use this?
> 
> Right.  This the proper way to automate gpg using
> --command-fd/--status-fd .  It is a bit of work but has the advantage
> that it won't break or, even worse, yields unexpected results if gpg
> adds other status messages.  The GPA frontend uses this approach
> (src/gpgmeedit.c).
> 
>>> should be answered with just a LF.  Of course you would use the
>> What if LF ?
> 
> linefeed or in C notation "\n" (ASCII code 0x10).
> 
>> I need to write the revocation certificate to a file too.
> 
> Use the gpg option
> 
>   --output FILE
> 
> 
> 
> Shalom-Salam,
> 
>    Werner
>

More information about the Gnupg-users mailing list