gpg decryption is working fine when i run the script manually, however gpg commands exit with code 1 when invoked remotely using the same user.
Command is:
gpg --batch --yes --always-trust --exit-on-status-write-error \
--passphrase "$pass_phrase" --output "$OUTNAME" --decrypt "$InName" >> $LOG
Additional information:
pub 2048R/227932CF 2016-08-09
uid XXXX(Public Key XXXX) <xxxxxxx#xx.com>
sig!3 227932CF 2016-08-09 XXXX XXX (xxxxx) <xxxxxxx#xx.com>
sub 2048R/51F72098 2016-08-09
sig! 227932CF 2016-08-09 XXXX XXX (xxxxx) <xxxxxxx#xx.com>
pub 2048R/B15019CC 2016-05-29
uid
sig! B15019CC 2016-05-29
sig! 227932CF 2016-08-10 XXXX XXX (xxxxx) <xxxxxxx#xx.com>
Does ! not suggest that the key is verified? Does anybody know what could be wrong in the command which is why it ends with exit code 1, only if invoked remotely?
This got resolved now. STDOUT and STDERR helped me to debug the problem, I wasn't aware of this since I am new to shell scripting and 'gpg' utility. It was the pass phrase that was getting parsed incorrectly when other users invoke my script.
Apologies for being silly. Many Thanks everybody!
Related
Most other GPG commands allow you to use --batch mode, but it doesn't appear to be the case when trying to edit a passphrase.
You have to run gpg --edit-key user
Which opens up an interactive GPG prompt.
This isn't going to work in my case as I need the ability to change the passphrase without the command line interaction.
The closest thing I've found is
gpg --batch --passphrase-fd 0 --status-fd 2 --command-fd 0 --edit-key
But this just gives me an invalid command after I enter the existing passphrase.
Any suggestions greatly appreciated.
I just encountered this problem while writing a key-gen script and came up with a solution!
A few things to note:
Lots of folks point towards --batch because --passphrase* requires it. In this case we'll be working with STDIN (as specified by --command-fd 0) and thus want to pass raw input rather than messing with the GnuPG functions.
While --status-fd 2 is useful for debugging, it isn't necessary. That said, including it lead me to the insight that --change-passphrase is requesting two, and only two, entries.
Set --pinentry-mode loopback to avoid having a prompt asking for your passphrase.
The solution is to pipe (or redirect) both the original and new passphrases to STDIN where GnuPG can processes them. While my initial code used (echo ..;echo ..)|gpg .. it is better to use a here-document.
# Using GnuPG to change PGP key passphrase non-interactively
gpg --command-fd 0 --pinentry-mode loopback \
--change-passphrase ${KEYID} <<END
${OLD_PASS}
${NEW_PASS}
END
Just set up the variables and that should work. Enjoy!
I am currently writing a batch script to automate signing and encrypting files, on GnuPG version 2.0.30.
Can someone explain why the following will not work on my Windows machine:
echo "passphrase"| gpg2 --batch --yes --always-trust --passphrase-fd 0 -es -r "Public key for encryption" "Path of file to encrypt"
To my knowledge, this should be piping the output of echo (my passphrase) as the input of --passphrase-fd 0 (0 operating on STDIN handle of course). I can't seem to get this to work, and wasn't sure if it was my code, or if it's just an issue running this on Windows.
Whenever I execute this command, I get
"no default secret key: Bad passphrase"
"sign+encrypt failed: Bad passphrase"
As a workaround, I was able to use redirection operater < and passed the filepath to my passphrase, still using the STDIN handle (0):
gpg2 --batch --yes --always-trust --passphrase-fd 0 -es -r "Public key for encryption" "Path of file to encrypt" < "Filepath to passphrase"
I realize it's bad practice to store a passphrase in a local file, and may consider removing the signature altogether, but for my own sake, I want to better understand why this won't work using piping (on Windows).
Thanks!
I'm trying to encrypt file.
Here is my command.
"gpg --yes --batch --cipher-algo AES256 --passphrase abcd123 --output "+"E:/Softwares"+"/" +"logfile"+".gpg --symmetric --cipher-algo AES256 "+"E:/Softwares/logfile.txt"
But am getting error like this:
java.io.IOException: Cannot run program "gpg": CreateProcess error=2, The system cannot find the file specified
at java.lang.ProcessBuilder.start(Unknown Source)
Please anyone can help me what's going on?
I've used this command earlier to do encryption as well. but this time its giving problem.
Thanks !!
i try to open a Unix session through java code and windows using putty.exe as follows:
Runtime.getRuntime().exec("cmd /c start /B C:/scripts/Session.bat ");
the 'Session.bat' file content is:
putty.exe -t -ssh root#aaa -pw abcd -P 22
aaa is the server name.
root is the user name.
abcd is the password
Now, the session opens well, but i want to run couple of simple commands from the above command (ll -s, pwd, etc.).
But when i try to add txt file which contains these commands to the above command, i see that the commands are executing after the user name entered and before the password.
the complete command is:
putty.exe -t -ssh root#aaa -pw abcd -P 22 -m C:\scripts\commands.txt
that's why i get the error (below) since the command "ll" came before the password:
Using username "root".
bash: ll:: command not found
please help me...
Thanks
There is no way the command could execute on the remote computer before the password is processed. Surely an alias is missing in root's bash startup files.
Try adding alias ll='ls -l' to /root/.bash_profile ?
i am struggling with a gpg problem for a few days and cant figure out a solution by my own. i would be glad if you could help me out with the following issue:
i need to decrypt a gpg file in php. for that, i am using the following command:
cat passphrase.txt | /usr/local/bin/gpg --decrypt --passphrase-fd 0 stammdaten.txt.gpg>stammdaten.txt
the passphrase.txt contains the password for decryption
stammdaten.txt.gpg is the encrypted file
the decrypted data will be written in stammdaten.txt
when i run this command in php:
shell_exec=("cat passphrase.txt | /usr/local/bin/gpg --decrypt --passphrase-fd 0 stammdaten.txt.gpg>stammdaten.txt")
i get a zero-byte output file (stammdaten.txt) with owner=ftpadmin and group=psacln
but when i execute the same command via ssh terminal (as root), the data will be decrypted and written correctly with file owner=root and group=root.
i think, that this is a permission problem. how can i use that command in php correctly? i also tried to chown and chgrp with the ftprightson the decrypted file, but nothing seems to help.
every answer is highly appreciated. thanks!
finally i got it to work:
first of all, i changed the gpg command for decryption with echoing the passphrase into stdin:
$passphrase = utf8_decode('mypassphrase');
$encrypted = 'fullsystempathtogpgfile.gpg';
"echo '$passphrase' | /usr/local/bin/gpg -v -v --batch --passphrase-fd 0 --no-default-keyring $encrypted";
before executing with shell_exec i needed to change the homedir of gpg:
before it was set with:
putenv("GNUPGHOME=/var/www/.gnupg");
but obviously the php user (in my case "ftpadmin", found out with "whoami") has no permission to access that directory, so i copied the .gpg folder into my new created php user folder: /home/ftpadmin (with 777 perms) and changed the GNUPGHOME:
putenv("GNUPGHOME=/home/ftpadmin/.gnupg");
now i am able to decrypt the gpg files with php. maybe you could find some help for your similar issue. thanks again for every answer.
You can try to use
cat passphrase.txt | /usr/local/bin/gpg --output stammdaten.txt --decrypt --passphrase-fd 0 stammdaten.txt.gpg
instead.
Another thing you can try is to run this command in the shell as ftpadmin in the directory where your stammdaten.txt file is to make sure it is not a file permission problem.
su ftpadmin
cat passphrase.txt | /usr/local/bin/gpg --output stammdaten.txt --decrypt --passphrase-fd 0 stammdaten.txt.gpg