Re: gpg-agents all over the place

Roberto Ragusa <mail@xxxxxxxxxxxxxxxx> · Thu, 24 Dec 2020 17:20:38 +0100

On 12/23/20 1:56 PM, Oron Peled wrote:

More problematic, but possible.

The key is using "--pinentry-mode=loopback" (I don't have my scripts in front of me for further details)
There are simple use cases that are very problematic.
Consider this:

[me@localhost tmp]$ date >date.txt
[me@localhost tmp]$ gpg --pinentry-mode=loopback -c date.txt   ### this asks for a passphrase
[me@localhost tmp]$ ls -l
total 8
-rw-rw-r-- 1 me     me      32 Dec 24 16:59 date.txt
-rw-rw-r-- 1 me     me     110 Dec 24 17:00 date.txt.gpg
[me@localhost tmp]$ rm date.txt
[me@localhost tmp]$ gpg --pinentry-mode=loopback date.txt.gpg   ### this does not ask!
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
gpg: AES encrypted data
gpg: encrypted with 1 passphrase
[me@localhost tmp]$ ls -l
total 8
-rw-rw-r-- 1 me     me      32 Dec 24 17:00 date.txt
-rw-rw-r-- 1 me     me     110 Dec 24 17:00 date.txt.gpg

that would be a very simple tutorial about symmetric encryption and it is
absolutely surprising, since decryption happens without any need to supply
the passphrase.
Because an agent was forked and it remembers the symmetric
passphrase I've used! Crazy.

So let's see if we can use --batch: using it on encryption conflicts with pineentry,
using it on decryption doesn't disable the gpg-agent usage.

We should try to avoid the agent, let's see in the man page:
       --use-agent
       --no-use-agent
              This is dummy option. gpg always requires the agent.
Wow, the option you want, but with a dummy implementation.

There is a --no-autostart, let's try it: more wasted time.

The use case I care about is for a script that reads some data
from an encrypted file, asking me the passphrase when necessary.
Something like:

token="$(gpg1 --output - secrets.gpg | grep ^token= | cut -d= -f2)"
# use $token

The passphrase should not be hardcoded in the script or remembered by
a magic gpg-agent forked behind my back.

My only solution has been:
  dnf install gnupg1

Regards.

--
   Roberto Ragusa    mail at robertoragusa.it
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx