Linux GPG2 Encryption Getting Intermittent gpg: signing failed: Inappropriate ioctl for device When Run From Oracle Apps

[Peter Lebbing]

On 07/10/16 22:59, Jim Ernst wrote:
> I am using the following code with gpg (GnuPG) 2.1.15, and when run on
> Linux submitted from an Oracle EBS Apps request it errors with “gpg:
> signing failed: Inappropriate ioctl for device”:

This sounds like the bug <https://bugs.gnupg.org/gnupg/issue2680>. The
bug is that the error message is quite unclear, but means that the
program was unable to prompt for a passphrase with a pinentry.

> /usr/local/bin/gpg2 -v --batch --no-tty --output
> $v_outbound_dir/$v_fname_sign --encrypt --recipient $v_recipient
> --passphrase $v_passphrase --sign $v_sd_name/$v_fn

I find it odd that this even works as intended for you at all. I usually
get confused as to which versions of GnuPG support which methods of
unusual passphrase entry, but my GnuPG 2.1.11 [1] does not respect the
--passphrase argument at all. It simply prompts me for the passphrase
through a pinentry anyway.

So my guess is that the "intermittent" behaviour you see is that when
the passphrase is known and cached, it will run okay, ignoring your
--passphrase argument. But when it needs to know the passphrase, it will
error out since it can't locate a method to interact with you.

Usually, the --passphrase argument makes no sense from a security
standpoint. You encrypt the private key because you don't want anyone
with access to that file to directly have your private key. Yet, they
only need to access the file with your script to simply obtain the
passphrase there. You've only changed the scenario from "there's one
interesting file" to "you need two files". That's not very useful.
Another point is that the passphrase is plainly in the process list when
someone does a "ps ax" while GnuPG is running.

For unattended signing, I think usually you either store the private key
unencrypted (or at least, the signing subkey), or you prime the
passphrase cache when you boot the server, with gpg-preset-passphrase.

But I don't know much about scripting GnuPG effectively.

HTH,

Peter.

[1] I should start compiling my own newer versions, but haven't started
yet. I run Debian jessie/stable, and the newest versions of GnuPG 2.1
for testing and unstable are not easily installable on stable. That's
why I'm a tad behind.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>