> At https://dev.gnupg.org/T4154 , 'allow setting passphrase from an environment variable', there is a comment of "I don't see why we should add yet more clumsy passphrase workarounds to gpg. We already have PINENTRY_USER_DATA which can fulfill the same task."
Of course, the reference here to PINENTRY_USER_DATA is specious. To incorporate the processing of such a customized PINENTRY_USER_DATA requires the coding of a corresponding pinentry executable to receive it. And if one has the capacity to code one's own unique pinentry executable ... they could code around the stated problem outside of using PINENTRY_USER_DATA in the first place. And the T4154 request would never have been made, in the first place. So, given the above, a solution towards: >+ (https://dev.gnupg.org/T4154) >+ >+ So this patch adds a new form of passphrase-passing, using an environment >+ variable. In POSIX shell, this looks like (for example): >+ >+ mypass="IUuKctdEhH8' gpg --batch --pinentry-mode=loopback \ >+ --passphrase-env=mypass --decrypt < message.txt >+ can be effected without resorting to PINENTRY_USER_DATA - so no need to code, customize, maintain, update per gpg upgrades, or apply patches to in-house self-solutions. > Can anyone give an example of doing so? > I am looking to effect the equivalent of ... > Has anyone got a link to a working example of '3<' or 'PINENTRY_USER_DATA which can fulfill the same task' of gpg picking up its passphrase from an environment variable? Examine https://lists.gnupg.org/pipermail/gnupg-users/2024-March/067030.html ('How can I 'echo' into fd 3 to be able to use it on a gpg cmd line?') for a more detailed example script solution, but in brief for this thread: gs_myfifo="$(mktemp -ut fifo.XXX)" mkfifo -m 0600 "${gs_myfifo}" gs_mysecretpassphrase="KXhtctw4_zFfhRop" echo -e "${gs_mysecretpassphrase}" > "${gs_myfifo}" & unset gs_mysecretpassphrase echo -e "Stuff to be encrypted." \ | gpg --pinentry-mode loopback --passphrase-fd 3 -c 3< "${gs_myfifo}" rm "${gs_myfifo}" Of course, 'gs_mysecretpassphrase="KXhtctw4_zFfhRop"' would be replaced with some other mechanism of acquiring the passphrase. Perhaps via something such as: export GPG_TERM="${TERM}" echo -e "GETPIN\nBYE\n" \ | pinentry --ttyname "${GPG_TTY}" \ | sed -e "s/^OK.*$//" -e "/^[[:space:]]*$/d" -e "s/^D //" On Thu, Mar 21, 2024 at 7:45 PM B.S. <bs27...@gmail.com> wrote: > At https://dev.gnupg.org/T4154 , 'allow setting passphrase from an > environment variable', there is a comment of "I don't see why we > should add yet more clumsy passphrase workarounds to gpg. We already > have PINENTRY_USER_DATA which can fulfill the same task." > > Can anyone give an example of doing so? > > I am looking to effect the equivalent of: > '@rem Get passhrase into (env.) var. programmatically (in your > favourite manner)' > 'set /p myenvpassphrase="Enter symmetric keyphrase to use:" > 'echo "Secret data" | gpg.exe -c --envpassphrase myenvpassphrase > > secretdata.gpg' > - thereby avoiding storing any passphrase (even temporarily) on a > storage medium, nor have it visible as the command line (via tasklist > or ps). > - in this case, the 'secret data' is actually confidential > information, piped from elsewhere, on the fly. > > Of course, the '-envpassphrase' option doesn't exist in gpg currently, > but the comment at the above link indicates that there is another way > to effect the same intent. > > Can anyone give an example of so doing? > > A current means of effecting the same is, of course, '--passphase-fd > 3", for something like: > 'echo "Secret data" | gpg.exe -c --passphrase-fd 3 3< echo %PASSWORD% > > secretdata.gpg' > - except I have no idea [in (Win 10) DOS, not powershell, cmd] how to > get anything into file descriptor 3. > = let alone get an echo into fd 3 (without actually landing on a > filesystem, even temporarily). > > Of course: > 'echo "Secret data" | gpg.exe -c --passphrase > secretdata.gpg' > - doesn't work, as stdin can't be 'in two places at once', both > passphrase input, and data input. > = Remember, "Secret data" isn't on disk, either - it's being piped in, too. > > Has anyone got a link to a working example of '3<' or > 'PINENTRY_USER_DATA which can fulfill the same task' of gpg picking up > its passphrase from an environment variable? >
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
