On Thu, May 5, 2011 at 02:19, Jon Drukman <j...@cluttered.com> wrote:
> putenv('HOME=/tmp/gpg');
> @mkdir('/tmp/gpg');
>
At this point, you should be watching carefully. What if another user has
created this directory to spoof the key?
Use the appropriate command for creating a unique temporary directory.
Should be mktemp or similar.
> system("/usr/bin/gpg --batch --yes --import /sites/config/public_key.asc");
> system("/usr/bin/gpg --batch --yes --no-ask-cert-level --trust-model always
> --output $filename.gpg --encrypt --recipient $recipient $filename >
> /tmp/gpg.log
> 2>&1");
Again, what if the keyring is already in place? Could even be yourself --
you create the keyring once, import the public key at the time, then later
update the public key and import again -- now, which key to use?
--
Jerome Baum
tel +49-1578-8434336
email jer...@jeromebaum.com
--
PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A
PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
