Signing already-encrypted files (all to self)?

Mon Nov 14 15:42:58 CET 2011

On 14/11/11 12:11, Chris Poole wrote:
> 2. `find maildir/ -not -name '*.gpg' | gpg ...` to encrypt these new files
>
> At this point in the script now, I would want to hash the new files, but now
> they'll have the `.gpg` output extension.

The following is just a sketch, I'm not completely checking if I do it right.

find maildir/ -not -name '*.gpg' \
  -execdir gpg -r you -o '{}.gpg' -e '{}' ';' \
  -execdir gpg --print-md SHA256 '{}.gpg' ';'

The trick obviously is that find can do multiple executions. I didn't know this
either, I just tried it out :). There are different variations. This one outputs
the hashes on stdout, and I don't know a way to separate the stdout's, for when
the encryption command would start printing stuff on stdout.

But a different variation is to define a helper program (called do_gpg):

--8<----------(cut here)---------->8--
#!/bin/sh
gpg -r you -o "$1.gpg" -e "$1"
gpg --print-md SHA256 "$1.gpg" >>sha256sums
--8<----------(cut here)---------->8--

and then:

find maildir/ -not -name '*.gpg' \
  -execdir do_gpg '{}' ';'

As a third variation, you could only define a helper program to do the
checksumming, and have two -execdir arguments to find.

Note that piping the output from find like you write gives issues with filenames
with special characters (space, newline, etcetera), but that might not be a
problem for you.

And also note that encrypting identical plaintexts will lead to different
ciphertexts, and hence, hashes. If you sometimes re-encrypt the same data, you
need to be aware of this or you'll think your files have been tampered with
because the hash no longer checks out.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt