scripting gpg

[Jon Drukman]

On Wed, May 4, 2011 at 5:44 PM, Jerome Baum <jerome at jeromebaum.com> wrote:

> On Thu, May 5, 2011 at 02:19, Jon Drukman <jsd at cluttered.com> wrote:
>
>> putenv('HOME=/tmp/gpg');
>> @mkdir('/tmp/gpg');
>>
>
> At this point, you should be watching carefully. What if another user has
> created this directory to spoof the key?
>

There are no other users on this box, it has a default-deny firewall, and
password logins are disabled.  You need to be coming from my office with the
correct ssh key.


> system("/usr/bin/gpg --batch --yes --import /sites/config/public_key.asc");
>> system("/usr/bin/gpg --batch --yes --no-ask-cert-level --trust-model
>> always
>> --output $filename.gpg --encrypt --recipient $recipient $filename >
>> /tmp/gpg.log
>> 2>&1");
>
>
> Again, what if the keyring is already in place? Could even be yourself --
> you create the keyring once, import the public key at the time, then later
> update the public key and import again -- now, which key to use?
>
>
In my testing it seems like if you import the same key over and over again,
nothing bad happens.  gpg just ignores it:

% gpg --import /sites/config/public_key.asc
gpg: key 43B4963D: "[redacted]" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1


% gpg --import /sites/config/public_key.asc
gpg: key 43B4963D: "[redacted]" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

% gpg --list-keys
/Users/jsd/.gnupg/pubring.gpg
-----------------------------
pub   1024D/43B4963D 2002-04-10
uid                  [redacted]
sub   1024g/861E4AE2 2002-04-10

Thanks for double checking my work!  Always good to get an extra pair of
eyes on things.

-jsd-
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20110505/43c324ef/attachment.htm>