> On 21 Jul 2017, at 08:46, Werner Koch <w...@gnupg.org> wrote: > > On Thu, 20 Jul 2017 20:04, di...@webweaving.org said: > >> cat batch.commands | gpg2 --no-tty —batch —passphrase-XX XX >> --command-fd 0 --pinentry-mode loopback … > > This is not going to work. --command-fd must always be used in > conjunction with --status-fd so that a GET_foo status line output > triggers input to the command fd descriptor.
Ok - I’ll need to investigate as to why this does work for our setting (auto
renewal of expiry date of keys on chipcard (included below).
>> And then let the batch.commands (which does a complex dance of subkey
>> renewal and some chip card shuffling) run against that ?
>
> Please check wether some of the new --quick-foo commands can be helpful.
Thanks - that is a nice treasure trove you unearthed for me. Thanks !
>> Or to somehow use a pure TTY based pinentry in such a setting (it is an off
>> line machine with barely more than a serial connection).
>
> GnuPG has examples on how to write simple pinentries
> (/tests/fake-pinentries/). Based on such an example and with the envvar
> PINENTRY_USER_DATA you can provide passphrases or PINs to gpg-agent.
So this we have working.
What I was hoping that there is a way to ‘trigger’ a ‘real’ pinentry request by
gpg-agent (and allowing it to cache the result for N seconds) prior to going to
gpg2 into command mode. I.e. to warm up the cache.
As to rely as much as possible on the existing security of gpg-agent and its
cache (cleanup) management.
Thanks,
Dw.
#!/bin/sh
set -e
PWFILE=${PWFILE:-passwd.txt}
DAYS=${DAYS:-120}
if [ $# != 1 ]; then
echo Syntax: $0 \<keyid\> > /dev/stderr
exit 1
fi
if ! test -f $PWFILE; then
echo No pwd $PWFILE > /dev/stderr
exit 1
fi
KEYID=$1
cat <<EOM | gpg2 --no-tty --batch --passphrase-file "$PWFILE" --command-fd 0
--pinentry-mode loopback --edit-key "$KEYID"
key 1
expire
$DAYS
key 1
key 2
expire
$DAYS
key 2
key 3
expire
$DAYS
save
EOM
srm passwd.txt
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
