non-interactive expiration of a key using --batch?

Werner Koch wk at
Mon May 7 20:47:06 CEST 2012


the problem you have is that you mix commands on the command line and
those from stdin.  If you replace

  $ printf "10w\nsave\n" | gpg --batch --passphrase-fd 3 \
  --command-fd 0 --status-fd=2 --edit-key test at expire 3<pw


  $ printf "expire\n10w\nsave\n" | gpg --batch --passphrase-fd 3 \
  --command-fd 0 --status-fd=2 --edit-key test at 3<pw

it will work as you expect.  Reading commands from the command line is
kludge which allows to implement --sign-key easily.  Commands from the
command line are read and evaluated before reading commands from stdin.
Now, the definition of --batch is that no user input is required.  Thus
it will terminate gpg immediately when there are no more commands from
the command line.  I agree that the mix of --command-fd and --batch is
not very clean.  Changing this behaviour would for sure break some
existing code.

Using this batched commands is in any case not a good idea, because you
never know what gpg wants to know from you.  The very first version of
GPA was implemented only with batched commands and thus stopped working
for any more complicated keys.  The current version of GPA uses a FSM to
provide default answers to unknown prompts and thus keeps on working
even with slightly changed --edit-key interface.

A word of warning in the man page would be a could idea; however the
entire interface is not very well documented I fear.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list