Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: GnuPG: users

non-interactive expiration of a key using --batch?

  

 
GnuPG users RSS feed   Index | Next | Previous | View Threaded


dkg at fifthhorseman

May 4, 2012, 3:38 PM

Post #1 of 5 (294 views)
Permalink
non-interactive expiration of a key using --batch?
Hi folks--

I'm having trouble setting up non-interactive expiration updates of a
key with a passphrase. I think i should use the --batch argument
because i want to ensure that gpg doesn't try to hang waiting on user
interaction, but when i use the --batch argument, the update isn't
saved.

let's say the passphrase is contained in the file "pw".

As you can see below, saving an update to 12 weeks without --batch
advances the expiration date to 2012-07-27, and a following --list-keys
shows the update. Subsequently, saving it to 13 weeks with --batch
shows the change to 2012-08-03, but a following --list-keys shows the
expiration date reverted to 2012-07-27.

this is with gnupg 1.4.12-4, from debian testing.

Any ideas what's going on here? Am i wrong to try to use --batch in
this instance?

--dkg

0 wt215 [at] pi:~$ gpg --list-keys
/home/wt215/testexpiry/pubring.gpg
----------------------------------
pub 1024R/20819466 2012-05-03 [expires: 2012-07-20]
uid blab blab (DO NOT USE!) <test [at] example>

0 wt215 [at] pi:~$ printf "12w\nsave\n" | gpg --passphrase-fd 3 --command-fd 0 --edit-key test [at] example 3<pw expire
gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Reading passphrase from file descriptor 3
Secret key is available.

pub 1024R/20819466 created: 2012-05-03 expires: 2012-07-20 usage: SC
trust: ultimate validity: ultimate
[ultimate] (1). blab blab (DO NOT USE!) <test [at] example>

Changing expiration time for the primary key.
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key expires at Fri 27 Jul 2012 04:37:23 PM EDT

You need a passphrase to unlock the secret key for
user: "blab blab (DO NOT USE!) <test [at] example>"
1024-bit RSA key, ID 20819466, created 2012-05-03


pub 1024R/20819466 created: 2012-05-03 expires: 2012-07-27 usage: SC
trust: ultimate validity: ultimate
[ultimate] (1). blab blab (DO NOT USE!) <test [at] example>

0 wt215 [at] pi:~$ gpg --list-keys
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2012-07-27
/home/wt215/testexpiry/pubring.gpg
----------------------------------
pub 1024R/20819466 2012-05-03 [expires: 2012-07-27]
uid blab blab (DO NOT USE!) <test [at] example>

0 wt215 [at] pi:~$ printf "13w\nsave\n" | gpg --batch --passphrase-fd 3 --command-fd 0 --edit-key test [at] example 3<pw expire
Secret key is available.

pub 1024R/20819466 created: 2012-05-03 expires: 2012-07-27 usage: SC
trust: ultimate validity: ultimate
[ultimate] (1). blab blab (DO NOT USE!) <test [at] example>

Changing expiration time for the primary key.
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key expires at Fri 03 Aug 2012 04:37:34 PM EDT

pub 1024R/20819466 created: 2012-05-03 expires: 2012-08-03 usage: SC
trust: ultimate validity: ultimate
[ultimate] (1). blab blab (DO NOT USE!) <test [at] example>

0 wt215 [at] pi:~$ gpg --list-keys
/home/wt215/testexpiry/pubring.gpg
----------------------------------
pub 1024R/20819466 2012-05-03 [expires: 2012-07-27]
uid blab blab (DO NOT USE!) <test [at] example>

0 wt215 [at] pi:~$


wk at gnupg

May 7, 2012, 1:26 AM

Post #2 of 5 (284 views)
Permalink
Re: non-interactive expiration of a key using --batch? [In reply to]
On Sat, 5 May 2012 00:38, dkg [at] fifthhorseman said:

> Any ideas what's going on here? Am i wrong to try to use --batch in
> this instance?

It would be useful to add --status-fd 2, so that you can see what gpg
actually expects as user/batch input.


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.


_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users


dkg at fifthhorseman

May 7, 2012, 7:31 AM

Post #3 of 5 (284 views)
Permalink
Re: non-interactive expiration of a key using --batch? [In reply to]
On 05/07/2012 04:26 AM, Werner Koch wrote:
> On Sat, 5 May 2012 00:38, dkg [at] fifthhorseman said:
>
>> Any ideas what's going on here? Am i wrong to try to use --batch in
>> this instance?
>
> It would be useful to add --status-fd 2, so that you can see what gpg
> actually expects as user/batch input.


here you go, with --status-fd 2 (wrapped in --list-keys so you can see
that the expiration date doesn't change):

-----------------------

0 wt215 [at] pi:~$ gpg --list-keys test [at] example
pub 1024R/20819466 2012-05-03 [expires: 2012-07-09]
uid blab blab (DO NOT USE!) <test [at] example>

0 wt215 [at] pi:~$ printf "10w\nsave\n" | gpg --batch --passphrase-fd 3
--command-fd 0 --status-fd=2 --edit-key test [at] example expire 3<pw
Secret key is available.

pub 1024R/20819466 created: 2012-05-03 expires: 2012-07-09 usage: SC
trust: ultimate validity: ultimate
[ultimate] (1). blab blab (DO NOT USE!) <test [at] example>

Changing expiration time for the primary key.
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
[GNUPG:] GET_LINE keygen.valid
[GNUPG:] GOT_IT
Key expires at Mon 16 Jul 2012 10:29:02 AM EDT
[GNUPG:] USERID_HINT 34759F1120819466 blab blab (DO NOT USE!)
<test [at] example>
[GNUPG:] NEED_PASSPHRASE 34759F1120819466 34759F1120819466 1 0
[GNUPG:] GOOD_PASSPHRASE

pub 1024R/20819466 created: 2012-05-03 expires: 2012-07-16 usage: SC
trust: ultimate validity: ultimate
[ultimate] (1). blab blab (DO NOT USE!) <test [at] example>

0 wt215 [at] pi:~$ gpg --list-keys test [at] example
pub 1024R/20819466 2012-05-03 [expires: 2012-07-09]
uid blab blab (DO NOT USE!) <test [at] example>

0 wt215 [at] pi:~$
-------------------------


I don't see anything in the --status-fd output that gives me more of a
clue, unfortunately.

Any pointers?

--dkg
Attachments: signature.asc (1.01 KB)


wk at gnupg

May 7, 2012, 8:18 AM

Post #4 of 5 (285 views)
Permalink
Re: non-interactive expiration of a key using --batch? [In reply to]
On Mon, 7 May 2012 16:31, dkg [at] fifthhorseman said:
> I don't see anything in the --status-fd output that gives me more of a
> clue, unfortunately.

I need to debug it later this evening.


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.


_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users


wk at gnupg

May 7, 2012, 11:47 AM

Post #5 of 5 (284 views)
Permalink
Re: non-interactive expiration of a key using --batch? [In reply to]
Hi,

the problem you have is that you mix commands on the command line and
those from stdin. If you replace

$ printf "10w\nsave\n" | gpg --batch --passphrase-fd 3 \
--command-fd 0 --status-fd=2 --edit-key test [at] example expire 3<pw

by

$ printf "expire\n10w\nsave\n" | gpg --batch --passphrase-fd 3 \
--command-fd 0 --status-fd=2 --edit-key test [at] example 3<pw

it will work as you expect. Reading commands from the command line is
kludge which allows to implement --sign-key easily. Commands from the
command line are read and evaluated before reading commands from stdin.
Now, the definition of --batch is that no user input is required. Thus
it will terminate gpg immediately when there are no more commands from
the command line. I agree that the mix of --command-fd and --batch is
not very clean. Changing this behaviour would for sure break some
existing code.

Using this batched commands is in any case not a good idea, because you
never know what gpg wants to know from you. The very first version of
GPA was implemented only with batched commands and thus stopped working
for any more complicated keys. The current version of GPA uses a FSM to
provide default answers to unknown prompts and thus keeps on working
even with slightly changed --edit-key interface.

A word of warning in the man page would be a could idea; however the
entire interface is not very well documented I fear.



Salam-Shalom,

Werner


--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.


_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GnuPG users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.