(pre)cache password rather than use allow-loopback-pinentry
Dirk-Willem van Gulik
dirkx at webweaving.org
Fri Jul 21 10:05:22 CEST 2017
> On 21 Jul 2017, at 08:46, Werner Koch <wk at gnupg.org> wrote:
>
> On Thu, 20 Jul 2017 20:04, dirkx at webweaving.org said:
>
>> cat batch.commands | gpg2 --no-tty —batch —passphrase-XX XX --command-fd 0 --pinentry-mode loopback …
>
> This is not going to work. --command-fd must always be used in
> conjunction with --status-fd so that a GET_foo status line output
> triggers input to the command fd descriptor.
Ok - I’ll need to investigate as to why this does work for our setting (auto renewal of expiry date of keys on chipcard (included below).
>> And then let the batch.commands (which does a complex dance of subkey renewal and some chip card shuffling) run against that ?
>
> Please check wether some of the new --quick-foo commands can be helpful.
Thanks - that is a nice treasure trove you unearthed for me. Thanks !
>> Or to somehow use a pure TTY based pinentry in such a setting (it is an off line machine with barely more than a serial connection).
>
> GnuPG has examples on how to write simple pinentries
> (/tests/fake-pinentries/). Based on such an example and with the envvar
> PINENTRY_USER_DATA you can provide passphrases or PINs to gpg-agent.
So this we have working.
What I was hoping that there is a way to ‘trigger’ a ‘real’ pinentry request by gpg-agent (and allowing it to cache the result for N seconds) prior to going to gpg2 into command mode. I.e. to warm up the cache.
As to rely as much as possible on the existing security of gpg-agent and its cache (cleanup) management.
Thanks,
Dw.
#!/bin/sh
set -e
PWFILE=${PWFILE:-passwd.txt}
DAYS=${DAYS:-120}
if [ $# != 1 ]; then
echo Syntax: $0 \<keyid\> > /dev/stderr
exit 1
fi
if ! test -f $PWFILE; then
echo No pwd $PWFILE > /dev/stderr
exit 1
fi
KEYID=$1
cat <<EOM | gpg2 --no-tty --batch --passphrase-file "$PWFILE" --command-fd 0 --pinentry-mode loopback --edit-key "$KEYID"
key 1
expire
$DAYS
key 1
key 2
expire
$DAYS
key 2
key 3
expire
$DAYS
save
EOM
srm passwd.txt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 223 bytes
Desc: Message signed with OpenPGP
URL: </pipermail/attachments/20170721/29dc8ec6/attachment.sig>
More information about the Gnupg-users
mailing list