Extraction of decryption session key without copying complete encrypted file
Fiedler Roman
Roman.Fiedler at ait.ac.at
Mon Aug 28 14:00:02 CEST 2017
> Von: Werner Koch [mailto:wk at gnupg.org]
>
> On Mon, 28 Aug 2017 12:00, peter at digitalbrains.com said:
>
> > The gpg process communicates its TTY to the agent so the pinentry
> knows
> > where to pop up. This is a feature, not a bug. But when you
> deliberately
> > want to pop it up elsewhere...
>
> If you don't want that feature the --keep-tty and --keep-display options
> for gpg-agent may be useful:
>
> Ignore requests to change the current tty or X window system's
> DISPLAY variable respectively. This is useful to lock the pinentry
> to pop up at the tty or display you started the agent.
>
> That feature was once implemented for a user who liked to keep the
> pinentry popping up in fixed screen(1) session.
Thanks for the hint.
Just for reference: with all the suggestions from you and Peter, I have
created following script which performs all steps as expected:
tmpDir="$(mktemp -d)"
screen -S GpgAgent -d -m -- gpg-agent --homedir
"${GpgHomeDir}" --daemon --log-file
"${tmpDir}/agent.log" --allow-loopback-pinentry --pinentry-program
/usr/bin/pinentry --debug-pinentry --keep-tty --debug-all --daemon --no-detach
/bin/sleep 100000
sleep 1
GpgHomeDir="${GpgHomeDir}" tmpDir="${tmpDir}" screen -S Decryptor -d -m --
/bin/bash -c 'cat decryptlist.txt | (
cd "${tmpDir}"
gpgAgentPid="$(grep -E -e "^[0-9-]{10} [0-9:]{8} gpg-agent\\[[0-9]+\\]
gpg-agent .* started\$" -- "${tmpDir}/agent.log" | tail -n 1 | sed -r -e
"s/^.* gpg-agent\\[([0-9]+)\\] .*/\\1/")"
while read -r fileName gpgPreamble; do
echo "Extracting key from ${fileName}"
echo "${gpgPreamble}" | base64 -d | gpgsplit
(cat 000001-001.pk_enc; echo "0gsBAAAAAAAAAAAAAA==" | base64 -d) |
GPG_AGENT_INFO="${GpgHomeDir}/S.gpg-agent:${gpgAgentPid}:1"
gpg --use-agent --homedir "${GpgHomeDir}" --show-session-key
done) 2>&1 | tee decryptlist.log'
screen -R GpgAgent
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4814 bytes
Desc: not available
URL: </pipermail/attachments/20170828/40cc23ad/attachment.bin>
More information about the Gnupg-users
mailing list