On 07/10/16 22:59, Jim Ernst wrote: > I am using the following code with gpg (GnuPG) 2.1.15, and when run on > Linux submitted from an Oracle EBS Apps request it errors with “gpg: > signing failed: Inappropriate ioctl for device”:
This sounds like the bug <https://bugs.gnupg.org/gnupg/issue2680>. The bug is that the error message is quite unclear, but means that the program was unable to prompt for a passphrase with a pinentry. > /usr/local/bin/gpg2 -v --batch --no-tty --output > $v_outbound_dir/$v_fname_sign --encrypt --recipient $v_recipient > --passphrase $v_passphrase --sign $v_sd_name/$v_fn I find it odd that this even works as intended for you at all. I usually get confused as to which versions of GnuPG support which methods of unusual passphrase entry, but my GnuPG 2.1.11 [1] does not respect the --passphrase argument at all. It simply prompts me for the passphrase through a pinentry anyway. So my guess is that the "intermittent" behaviour you see is that when the passphrase is known and cached, it will run okay, ignoring your --passphrase argument. But when it needs to know the passphrase, it will error out since it can't locate a method to interact with you. Usually, the --passphrase argument makes no sense from a security standpoint. You encrypt the private key because you don't want anyone with access to that file to directly have your private key. Yet, they only need to access the file with your script to simply obtain the passphrase there. You've only changed the scenario from "there's one interesting file" to "you need two files". That's not very useful. Another point is that the passphrase is plainly in the process list when someone does a "ps ax" while GnuPG is running. For unattended signing, I think usually you either store the private key unencrypted (or at least, the signing subkey), or you prime the passphrase cache when you boot the server, with gpg-preset-passphrase. But I don't know much about scripting GnuPG effectively. HTH, Peter. [1] I should start compiling my own newer versions, but haven't started yet. I run Debian jessie/stable, and the newest versions of GnuPG 2.1 for testing and unstable are not easily installable on stable. That's why I'm a tad behind. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
