Signing already-encrypted files (all to self)?

Peter Lebbing peter at
Mon Nov 14 15:42:58 CET 2011

On 14/11/11 12:11, Chris Poole wrote:
> 2. `find maildir/ -not -name '*.gpg' | gpg ...` to encrypt these new files
> At this point in the script now, I would want to hash the new files, but now
> they'll have the `.gpg` output extension.

The following is just a sketch, I'm not completely checking if I do it right.

find maildir/ -not -name '*.gpg' \
  -execdir gpg -r you -o '{}.gpg' -e '{}' ';' \
  -execdir gpg --print-md SHA256 '{}.gpg' ';'

The trick obviously is that find can do multiple executions. I didn't know this
either, I just tried it out :). There are different variations. This one outputs
the hashes on stdout, and I don't know a way to separate the stdout's, for when
the encryption command would start printing stuff on stdout.

But a different variation is to define a helper program (called do_gpg):

--8<----------(cut here)---------->8--
gpg -r you -o "$1.gpg" -e "$1"
gpg --print-md SHA256 "$1.gpg" >>sha256sums
--8<----------(cut here)---------->8--

and then:

find maildir/ -not -name '*.gpg' \
  -execdir do_gpg '{}' ';'

As a third variation, you could only define a helper program to do the
checksumming, and have two -execdir arguments to find.

Note that piping the output from find like you write gives issues with filenames
with special characters (space, newline, etcetera), but that might not be a
problem for you.

And also note that encrypting identical plaintexts will lead to different
ciphertexts, and hence, hashes. If you sometimes re-encrypt the same data, you
need to be aware of this or you'll think your files have been tampered with
because the hash no longer checks out.


I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at

More information about the Gnupg-users mailing list