(pre)cache password rather than use allow-loopback-pinentry

Dirk-Willem van Gulik dirkx at webweaving.org
Fri Jul 21 10:05:22 CEST 2017 

> On 21 Jul 2017, at 08:46, Werner Koch <wk at gnupg.org> wrote:
> 
> On Thu, 20 Jul 2017 20:04, dirkx at webweaving.org said:
> 
>> 	cat batch.commands | gpg2 --no-tty —batch —passphrase-XX XX --command-fd 0 --pinentry-mode loopback  …
> 
> This is not going to work.  --command-fd must always be used in
> conjunction with --status-fd so that a GET_foo status line output
> triggers input to the command fd descriptor.

Ok - I’ll need to investigate as to why this does work for our setting (auto renewal of expiry date of keys on chipcard (included below).

>> And then let the batch.commands (which does a complex dance of subkey renewal and some chip card shuffling) run against that ?
> 
> Please check wether some of the new --quick-foo commands can be helpful.

Thanks - that is a nice treasure trove you unearthed for me. Thanks !

>> Or to somehow use a pure TTY based pinentry in such a setting (it is an off line machine with barely more than a serial connection).
> 
> GnuPG has examples on how to write simple pinentries
> (/tests/fake-pinentries/).  Based on such an example and with the envvar
> PINENTRY_USER_DATA you can provide passphrases or PINs to gpg-agent.

So this we have working.

What I was hoping that there is a way to ‘trigger’ a ‘real’ pinentry request by gpg-agent (and allowing it to cache the result for N seconds) prior to going to gpg2 into command mode.  I.e. to warm up the cache.

As to rely as much as possible on the existing security of gpg-agent and its cache (cleanup) management.

Thanks,

Dw.

#!/bin/sh
set -e

PWFILE=${PWFILE:-passwd.txt}
DAYS=${DAYS:-120}


if [ $# != 1 ]; then
        echo Syntax: $0 \<keyid\> > /dev/stderr
        exit 1
fi

if !  test -f $PWFILE; then
        echo No pwd $PWFILE > /dev/stderr
        exit 1
fi

KEYID=$1

cat <<EOM | gpg2 --no-tty --batch --passphrase-file "$PWFILE" --command-fd 0 --pinentry-mode loopback --edit-key "$KEYID"
key 1
expire
$DAYS
key 1
key 2
expire
$DAYS
key 2
key 3
expire
$DAYS
save
EOM

srm passwd.txt


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 223 bytes
Desc: Message signed with OpenPGP
URL: </pipermail/attachments/20170721/29dc8ec6/attachment.sig>

More information about the Gnupg-users mailing list