Am trying to decrypt an encrypted file, I have all the keys in place (secret and public), I don't know why its not generating output file. Following are the commands am running. I know there are several post already there but I cant refer them until and unless any error flashes on my command prompt.
gpg --list-secret-keys
Its listing secret keys
gpg --list-keys
Its listing all keys
gpg --import "c:\folder_location\name_PublicKey.gpg"
successfully imported keys
gpg --batch --yes --passphrase my_passphrase --local-user "mycomp name
" -o "c:\folder_location\filenameTEST.txt" -d
"c:\folder_location\ENCRYPTEDFILE.txt.gpg"
Am not able to decrypt file on command line, There is no error reported on command prompt. Command remains Active all the time, needed force close.
Anything am missing here to check? any suggestions?
There was no issue with my command, actual problem was CR and LF control characters (new line). When I removed those characters, decryption worked without any errors! GPG never detected these characters and statement got parsed without any error, and later command froze without any error/output.
Related
Most other GPG commands allow you to use --batch mode, but it doesn't appear to be the case when trying to edit a passphrase.
You have to run gpg --edit-key user
Which opens up an interactive GPG prompt.
This isn't going to work in my case as I need the ability to change the passphrase without the command line interaction.
The closest thing I've found is
gpg --batch --passphrase-fd 0 --status-fd 2 --command-fd 0 --edit-key
But this just gives me an invalid command after I enter the existing passphrase.
Any suggestions greatly appreciated.
I just encountered this problem while writing a key-gen script and came up with a solution!
A few things to note:
Lots of folks point towards --batch because --passphrase* requires it. In this case we'll be working with STDIN (as specified by --command-fd 0) and thus want to pass raw input rather than messing with the GnuPG functions.
While --status-fd 2 is useful for debugging, it isn't necessary. That said, including it lead me to the insight that --change-passphrase is requesting two, and only two, entries.
Set --pinentry-mode loopback to avoid having a prompt asking for your passphrase.
The solution is to pipe (or redirect) both the original and new passphrases to STDIN where GnuPG can processes them. While my initial code used (echo ..;echo ..)|gpg .. it is better to use a here-document.
# Using GnuPG to change PGP key passphrase non-interactively
gpg --command-fd 0 --pinentry-mode loopback \
--change-passphrase ${KEYID} <<END
${OLD_PASS}
${NEW_PASS}
END
Just set up the variables and that should work. Enjoy!
I am currently writing a batch script to automate signing and encrypting files, on GnuPG version 2.0.30.
Can someone explain why the following will not work on my Windows machine:
echo "passphrase"| gpg2 --batch --yes --always-trust --passphrase-fd 0 -es -r "Public key for encryption" "Path of file to encrypt"
To my knowledge, this should be piping the output of echo (my passphrase) as the input of --passphrase-fd 0 (0 operating on STDIN handle of course). I can't seem to get this to work, and wasn't sure if it was my code, or if it's just an issue running this on Windows.
Whenever I execute this command, I get
"no default secret key: Bad passphrase"
"sign+encrypt failed: Bad passphrase"
As a workaround, I was able to use redirection operater < and passed the filepath to my passphrase, still using the STDIN handle (0):
gpg2 --batch --yes --always-trust --passphrase-fd 0 -es -r "Public key for encryption" "Path of file to encrypt" < "Filepath to passphrase"
I realize it's bad practice to store a passphrase in a local file, and may consider removing the signature altogether, but for my own sake, I want to better understand why this won't work using piping (on Windows).
Thanks!
When running the following command on OpenVAS 7 under root (where gb_iojs_detect_win.nasl is one of the OpenVAS plugins. other plugins cause the same error):
openvas-nasl gb_iojs_detect_win.nasl
causes this error:
base gpgme-Message: Setting GnuPG homedir to '/usr/local/var/lib/openvas/gnupg'
base gpgme-Message: Using OpenPGP engine version '1.4.16'
base gpgme-Message: Setting GnuPG sysconf homedir to '/usr/local/etc/openvas/gnupg'
gb_iojs_detect_win.nasl: bad or missing signature. Will not execute this script
Note that i did follow this page and set nasl_no_signature_check = yes, but this error still persists.
Thanks! Any help would be appreciated!
Execute the following and follow the prompts:
gpg --homedir=/usr/local/etc/openvas/gnupg --gen-key
Then execute:
wget http://www.openvas.org/OpenVAS_TI.asc -P /tmp
gpg --homedir=/usr/local/etc/openvas/gnupg --import /tmp/OpenVAS_TI.asc
gpg --homedir=/usr/local/etc/openvas/gnupg --list-keys
gpg --homedir=/usr/local/etc/openvas/gnupg --lsign-key 48DB4530
Source: http://www.openvas.org/trusted-nvts.html
Do what indicated above and update your feeds plugins
I also struggled with this, due to the documentation falling short.
You need to provide the -X flag, which means authenticated mode, which apparently means "Don't do the signature checks"
I was having this issue with OpenVAS 9, but based on the instructions from #D.W., I read the docs about trusted NVTs, they mention that they're going to start using a new key starting 12/1/18.
However, when I ran openvassd -f to see what it was doing, I noticed that there were only some plugin checksums that were failing, and I'm thinking they're already signing these with the new key.
checksum for /var/lib/openvas/plugins/gb_electrasoft_32bit_ftp_detect.nasl not matching
checksum for /var/lib/openvas/plugins/gb_atlassian_confluence_detect.nasl not matching
checksum for /var/lib/openvas/plugins/gb_synology_dsm_detect.nasl not matching
checksum for /var/lib/openvas/plugins/gb_quixplorer_detect.nasl not matching
checksum for /var/lib/openvas/plugins/gb_yealink_ip_phone_detect.nasl not matching
checksum for /var/lib/openvas/plugins/secpod_neon_detect.nasl not matching
checksum for /var/lib/openvas/plugins/gb_torrent_trader_classic_detect.nasl not matching
checksum for /var/lib/openvas/plugins/gb_simatic_s7_snmp_detect.nasl not matching
checksum for /var/lib/openvas/plugins/gb_sophos_xg_detect_userportal.nasl not matching
checksum for /var/lib/openvas/plugins/gb_keycloak_detect.nasl not matching
checksum for /var/lib/openvas/plugins/gb_wd_wdtv_detect.nasl not matching
checksum for /var/lib/openvas/plugins/gb_get_http_banner.nasl not matching
checksum for /var/lib/openvas/plugins/gb_orion_nta_detect.nasl not matching
checksum for /var/lib/openvas/plugins/gb_gather_windows_uptime.nasl not matching
checksum for /var/lib/openvas/plugins/gb_teleopti_wfm_detect.nasl not matching
checksum for /var/lib/openvas/plugins/gb_asp_dotnet_core_detect_win.nasl not matching
checksum for /var/lib/openvas/plugins/eggdrop_detect.nasl not matching
checksum for /var/lib/openvas/plugins/gb_f5_linerate_lros_version.nasl not matching
checksum for /var/lib/openvas/plugins/gb_mikrotik_router_routeros_consolidation.nasl not matching
However, the fix was to just use the same instructions (had to modify paths for config directory for Ubuntu/Debian), but with the newer key. After that the checksums were validated OK:
wget https://www.greenbone.net/GBCommunitySigningKey.asc -P /tmp
gpg --homedir=/etc/openvas/gnupg --import /tmp/GBCommunitySigningKey.asc
gpg --homedir=/etc/openvas/gnupg --list-keys
gpg --homedir=/etc/openvas/gnupg --lsign-key 0ED1E580
systemctl restart openvas-scanner.service
Your command should be like this:
openvas-nasl -Xp gb_iojs_detect_win.nasl #for parsing
openvas-nasl -Xt IP gb_iojs_detect_win.nasl #for exec
note the additional switches.
For more details, visit this link
I have a job that runs periodically and signs/encrypts a file like so:
$ gpg --homedir /path/to/.gnupg -r key1#mydomain.com -r key2#mydomain.com --local-user sig1#mydomain.com --batch --passphrase-file /path/to/gpg-password --sign -ea myfile
The command encrypts the file for two recipients: key1#mydomain.com and key2#mydomain.com. It signs the file with sig1#mydomain.com. It runs in batch mode as there is no human interactivity - this is an automated process. It gets the passphrase for the signature from /path/to/gpg-password.
What I would like to do is now sign the file with two signatures at the same time. Like so:
$ gpg --homedir /path/to/.gnupg -r key1#mydomain.com -r key2#mydomain.com --local-user sig1#mydomain.com --local-user sig2#mydomain.com --batch --passphrase-file /path/to/gpg-password --sign -ea myfile
gpg: skipped "sig2#mydomain.com": bad passphrase
It works fine in interactive mode (eg. without --batch), I just have to supply the two passphrases via the command line. However, in batch mode it fails as it tries to get the signatures from the file. The signature is only valid for one of the signing keys.
From the man page:
--passphrase-file file
Read the passphrase from file file. Only the first line will be read from file file. This can only be used if only one passphrase is supplied.
How do I tell it what the password is for each key?
You have different options.
Completely remove the passwords, since they're stored somewhere anyway.
Use the same password (as you already discovered).
Use the gpg-agent and preset the passphrase. I'm unsure whether this is GnuPG 2-only (usually installed as gpg2, maybe to be installed from a gnupg2 package). Presetting the passphrase is as easy as running gpg-preset-passphrase --preset [fingerprint]. You will have to run this command for each of the keys individually, and make sure to cache the passphrase for a given time (at least the processing time of adding all the passphrases, and then signing the file you want to sign).
For the sake of completeness, but impractical: sign the file individually for each key, then take apart the OpenPGP packets and recombine them adding all the signatures one after the other. Signing with multiple keys just creates multiple signature packets.
For anyone else in the same situation as me, I ended up working around this apparent deficiency of gpg by editing one of the signing keys to have the same password as the other (the password stored in the gpg-password file). This doesn't compromise security in this instance since the password is stored in a text file anyway - the real security is the password of the user that this commands runs from and the fact that the secret keys are kept secret). You can change the password on a key by doing gpg --edit-key <key_id>, then passwd. Don't forget to save after.
I am extracting data to .psv files through a script. These .psv files have to be encrypted and SFTPed to antoher server location. But the extracted psv files are not getting encrypted. It is throwing the following error:
gpg: Invalid option "--trust-model"
I am using the following command
gpg -r 'abc#def.com' --encrypt --trust-model always $File_Name
Please help.
Thanks.
I've never seen the --trust-model always option myself, but I think you need to specify the file name last (or at least following the --encrypt option). So, try this:
gpg -r 'abc#def.com' --trust-model always --encrypt $File_Name
I have seen, but never personally used the --always-trust option, so here's another thing you can try:
gpg -r 'abc#def.com' --always-trust --encrypt $File_Name
I always add "trust" to every key I add to my ring so I'm not familiar with either of these options.