syntax for encrypting only the string passed in an argument

Peter Pentchev roam at ringlet.net
Fri Apr 17 15:01:45 CEST 2009


On Thu, Apr 16, 2009 at 12:38:52AM -0700, Incomex wrote:
> 
> I want to be able to call a shell from within a development environment
> and pass a string of data to it to be de/en/crypted.  The idea would look
> like
> this:
> 
> read from file "data.txt" line z and put it into variableY
> variablex = call shell(gpg -e -r Joe variableY)
> print variablex
> 
> rem:  variableY is the plaintext, variablex is the returned cyphertext

I don't think GnuPG supports this syntax; however, you can do it
somewhat indirectly by:

  echo $variableY | gpg -e -r Joe -o var_y.txt.gpg

You could even write a simple program (or shell script, or Perl script,
or something) that uses the mktemp() or mkstemp() standard C library
functions, or the mktemp(1) command-line utility, creates a temporary
file, has GnuPG output to it, displays it, and removes it.

Actually, come to think of it, here's a shell script and a Perl script
that do that - down there, right after the signature.  Hope you can
at least read the code to see the ideas if you can't use them directly :)
Caveat emptor: the shell script does not deal very well with recipient
names containing whitespace or special characters!  Also, the use of
"echo ... | gpg" makes it susceptible to a "ps awwfux" attack whereby
somebody who runs a "ps" command on the right server at the right time
might see the arguments to the "echo" command in the process list and
learn what you want to encrypt.

Hope that helps!

G'luck,
Peter

-- 
Peter Pentchev	roam at ringlet.net    roam at space.bg    roam at FreeBSD.org
PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint	FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
Nostalgia ain't what it used to be.


#!/usr/bin/perl -w
#
# Copyright (c) 2009  Peter Pentchev
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
#    notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer in the
#    documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
# $Ringlet: security/gpgenv/trunk/gpgenv/gpgenv.pl 3525 2009-04-17 12:58:10Z roam $

use strict;

use File::Temp;

MAIN:
{
	my ($var, $value, $f, $p, $pid, $buf);
	my (@recip);

	if ($#ARGV < 1) {
		die("Usage: gpgenv varname recipient...\n");
	}
	($var, @recip) = @ARGV;

	$value = $ENV{$var} || '';
	$f = new File::Temp or die("Creating a temp file: $!\n");
	chmod(0600, $f) or die("Setting a mode on ".$f->filename().": $!\n");
	$pid = open($p, '|-');
	if (!defined($pid)) {
		die("Forking for GnuPG: $!\n");
	} elsif ($pid == 0) {
		$ENV{'PATH'} = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/X11R6/bin';
		delete @ENV{qw/IFS CDPATH ENV BASH_ENV/};
		exec('gpg', '--batch', '--yes', '-e', '-o', $f->filename(),
		    map { ('-r', $_) } @recip);
		die("Executing GnuPG: $!\n");
	}
	print $p "$value\n" or
	    die("Sending the value of the $var variable to the child: $!\n");
	close($p) or die("The child process exited with an error\n");
	seek($f, 0, SEEK_SET) or die("Rewinding the output file: $!\n");
	while (read($f, $buf, 4096) > 0) {
		print $buf;
	}
}



#!/bin/sh
#
# Copyright (c) 2009  Peter Pentchev
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
#    notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer in the
#    documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
# $Ringlet: security/gpgenv/trunk/gpgenv/gpgenv.sh 3525 2009-04-17 12:58:10Z roam $

set -e

if [ "$#" -lt 2 ]; then
	echo 'Usage: gpgenv varname recipient...' 1>&2
	exit 1
fi
varname="$1"
shift
recip=`echo "$@" | sed -e 's/ / -r /g'`

tmpd='/tmp'
empty=''
d="$TMPDIR"
for i in TEMPDIR TMP TEMP tmpd empty; do
	if [ -z "$d" ] || [ ! -d "$d" ] || [ ! -w "$d" ]; then
		eval "d=\$$i"
	fi
done
if [ -z "$d" ]; then
	echo 'Could not find a temporary directory' 1>&2
	exit 1
fi

f=`mktemp "$d/gpgenv.XXXXXX"`
trap "rm -f $f" EXIT HUP INT QUIT TERM
chmod 600 "$f"

eval "echo \$$varname" | gpg --batch --yes -e -r $recip -o "$f"
cat "$f"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: </pipermail/attachments/20090417/6299731c/attachment.pgp>


More information about the Gnupg-users mailing list