scripting gpg

Jerome Baum jerome at
Thu May 5 02:44:14 CEST 2011

On Thu, May 5, 2011 at 02:19, Jon Drukman <jsd at> wrote:

> putenv('HOME=/tmp/gpg');
> @mkdir('/tmp/gpg');

At this point, you should be watching carefully. What if another user has
created this directory to spoof the key?

Use the appropriate command for creating a unique temporary directory.
Should be mktemp or similar.

> system("/usr/bin/gpg --batch --yes --import /sites/config/public_key.asc");
> system("/usr/bin/gpg --batch --yes --no-ask-cert-level --trust-model always
> --output $filename.gpg --encrypt --recipient $recipient $filename >
> /tmp/gpg.log
> 2>&1");

Again, what if the keyring is already in place? Could even be yourself --
you create the keyring once, import the public key at the time, then later
update the public key and import again -- now, which key to use?

Jerome Baum

tel +49-1578-8434336
email jerome at
PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A
PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20110505/b6d78b59/attachment.htm>

More information about the Gnupg-users mailing list