When the gpg subkey has expired, how to reset the subkey expiration through
gpg --quick-set-expire fpr expire subfprs
in bash script? The key is that there is no way to get expired subfprs (subkey-fingerprint), even through the interactive command
gpg --edit-key userid
can not get the subkey's fingerprint.
Related
I'm trying to run gpg from a Bash script designed to backup a website. The command that fails is
gpg --homedir /home/backupuser/.gnupg --verbose --no-tty --recipient {group-name} --trust-model always --output /home/backupuser/backup/{tar-file}.gpg --encrypt /mnt/ramdir/site-backup-backupuser/{tar-file}
It fails with return code 127. The gpg home directory exists, as does the {tar-file}. The output directory exists but the output file does not.
If I repeat the gpg command in the script it fails in exactly the same way. But if I execute it in shell immediately after it has failed in the script it works as expected. The output is:
gpg: using subkey {hhhhhhhhhhhhhhhh} instead of primary key {hhhhhhhhhhhhhhhh}
gpg: automatically retrieved '{email address1}' via Local
gpg: No trust check due to '--trust-model always' option
gpg: using subkey {hhhhhhhhhhhhhhhh} instead of primary key {hhhhhhhhhhhhhhhh}
gpg: automatically retrieved '{email address2}' via Local
gpg: No trust check due to '--trust-model always' option
gpg: reading from '/mnt/ramdir/site-backup-backupuser/{tar-file}'
gpg: writing to '/home/backupuser/backup/{tar-file}.gpg'
gpg: '/mnt/ramdir/site-backup-backupuser/{tar-file}' already compressed
gpg: RSA/AES256 encrypted for: "{hhhhhhhhhhhhhhhh} {Comment} <{email address1}>"
gpg: RSA/AES256 encrypted for: "{hhhhhhhhhhhhhhhh} {Comment} <{email address2}>"
This is Debian "bullseye" 11.6, gpg 2.2.27 and libgcrypt 1.8.8.
I have tried numerous combinations of parameters, always with the above result. With or without --homedir, with or without sudo (I was getting desperate), from a file on disk rather than in RAM, with or without --verbose and several others.
I'm working on a small ruby script that will checkout and sync a branch on two different servers. I'm trying to figure out how to pass a password to git when pulling. Right now I have
Net::SSH.start(host, user, password: password) do |ssh|
# other code....
result = ssh.exec!("git pull")
# results in Enter passphrase for key '/root/.ssh/id_rsa'
end
After running the git command it get a prompt for the key passphrase.
Is it possible to pass that in with a git command? Or is there another way to do that within ruby?
The net-ssh documetation does mention the method Net::SSH.start() accepts a passphrase argument:
passphrase
the passphrase to use when loading a private key (default is nil, for no passphrase)
So if you can get the passphrase (from a file or environment variable) in your program, you can add that argument to the Net::SSH.start() method.
Once you are connected, however, it is best to:
use a passphrase-less key for Git SSH URL
or use an HTTPS URL instead, for git pull commands, since you can register once and for all the password (not passphrase) associated with that HTTPS URL in a credential storage.
Using a passphrase means adding to your SSH session:
running the ssh-agent
entering the passphrase through a script
That seems quite cumbersome.
I am trying to get a better understanding of what is going on with gpg.
If you have a file and sign it: gpg --sign file.txt
you can verify it with: gpg --verify file.txt.gpg
when you get a successful output: gpg: Signature made...
But when you sign AND encrypt a file: gpg --encrypt --sign -r test#email.com file.txt
and then run --verify on the encrypted file I get: gpg: verify signatures failed: Unexpected error
I know that I can just call --decrypt on the file and it will verify and decrypt it, but what if I want to verify only?
I figured out the answer to this and then some. So I am going to add some additional information for clarity.
First of all, I realize based on the last line to this answer that gpg uses SIGN THEN ENCRYPT. Which means calling --verify or any variation to verify on an encrypted file will just output gpg: verify signatures failed: Unexpected error. This happens because the signature is "hidden" in encryption, so when you try to call --verify on the file, it will not see a signature.
Secondly, the --decrypt flag will both decrypt the file AND if the file is signed, verify it too.
Here is what --decrypt is doing. It looks at your default secret keyring secring.kbx in ~/.gnupg to use a secret key for decrypting the file. Then after it is decrypted, it looks at your default public keyring pubring.kbx in the folder ~/.gnupg and tries to verify the signature on the file, if it has one.
If it has no signature, it will just decrypt the file.
If it has a signature, but you don't have the public key, it will decrypt the file but it will fail to verify the signature.
If it has a signature and you have the public key, it will decrypt and verify.
With that said, there is no reason to verify a signed file BEFORE decrypting it.
Thirdly, as an added bonus, you can also specify a keyring you want to use for decrypting and verification. Say you want to use a temporary keyring to verify signatures or for what ever reason you want a temporary keyring to decrypt the message too.
You can specify the keyrings for --decrypt to use with the following command:
gpg --secret-keyring path/to/temp/secring.kbx --keyring path/to/temp/pubring.kbx --decrypt file.txt.gpg
This command will look for the secret ring and public ring at the specified paths in order to use those rings for decryption and verification instead of the default rings found in ~/.gnupg. Want to use a default ring with a temp ring? Just omit the flag and path to the ring you want defaulted.
All in all, for encrypted and signed files, if you want to decrypt and verify that file, you need to make sure that the private key for decryption is in your secret keyring and the public key for verification is in your public keyring.
One thing to understand about GPG encrypt & sign, which isn't very well explained, is that the signature can only be verified by the recipient.
Suppose Alice encrypts a file to send to Bob. She will encrypt with Bob's public key, and sign with her private key.
gpg --output encrypted.gpg --recipient B0B0000000000000000000000000000000000000 --armor --sign --default-key A11CE00000000000000000000000000000000000 --encrypt file-to-encrypt.txt
There's no way now for Alice, or anyone who does not have Bob's private key, to verify the signature.
Now Bob will decrypt the file. If it is signed, he'll see information about the signature in the output:
$ gpg --decrypt encrypted.gpg > decrypted.txt
gpg: encrypted with 2048-bit RSA key, ID D83A4C12B3840EBA, created 2020-09-24
"Alice <alice#example.com>"
gpg: Signature made 09/28/20 13:16:47 Eastern Daylight Time
gpg: using RSA key A11CE00000000000000000000000000000000000
gpg: Good signature from "Alice <alice#example.com>" [ultimate]
Note the Signature made and Good signature lines in the output.
$ gpg --encrypt --sign -r test#email.com file.txt
After file.txt.gpg generated, try the command below:
$ gpg -d file.txt.gpg
or just execute:
$ gpg file.txt.gpg
I am looking for help to figure out how to tie a secret key with a passphrase to encrypt a file using GPG.
I had tested many option (--encrypt, --sign, --recipient, --symmetric, etc), but in all of them, I was able to decrypt the file typing only the passphrase, even in a machine where I don't have the public nor the private/secret keys.
Is there a way to force the user to have the secret key and to be asked to type the passphrase?
I am open to any other idea that force a double security check to decrypt the protected file.
Thanks,
during decryption process type
gpg --allow-secret-key-import --import PrivateKey.gpg
after that prompt will appear for passphrase, enter the passphrase and after that decrypt file using
gpg filename.gpg
I'm trying to decrypt a file using gpg and getting this error:
$ gpg --no-tty --batch --verbose --decrypt --passphrase foo file.enc
Version: GnuPG v1.4.11 (GNU/Linux)
gpg: armor header:
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
gpg: decryption failed: Bad session key
I tried to reload the gpg agent, no luck:
$ gpgconf --reload gpg-agent
How to solve that?
For the record, if somebody will encounter this problem, too:
The problem was, that the encryption was done using gpg version 1.4.11 and the decryption was using gpg version 2.0.22.
After upgrading the encryption to gpg2 (2.0.17), everything worked fine.
I found this, which seems to be the magic that I could not find anywhere else:
Try adding --pinentry-mode loopback to your command. Maybe there is a
problem with your installation / pinentry program so that it does not start or
you are accidentally using a dummy / test pinentry which provides the wrong
passphrase.
I encrypted my file with a passphrase file in batch mode. When I tried to decrypt my file I got the dreaded "bad session key" message.
I created a passphrase file with Vim for Windows, and Vim left \r\n at the end of the text line even though I did not hit carriage return. gpg ignored the \n but retained the \r as part of the passphrase!
Vim for Windows can be induced to not leave \r\n, but it is easier to just use Notepad without a carriage return at the end of line. Best to check your passphrase file with a hexdump to be sure. There are other ways to get hurt by \r\n issues when supplying the passphrase using the command line, so be alert to it.