I am building an auto build script for generating applications. Before I ran every command manually. The build script is almost finished, but there is a problem. Some commands require input, but I don't know how to provide input to the commands without prompting the user. For example:
keytool -genkey -v -keystore Keystore/$name.keystore -alias $lowername -keyalg RSA -keysize 2048 -validity 10000
This asks for the current password which is always the same, but I need to enter this every time.
Is there a way I can provide the answers to the questions I get when running the command without showing this to the user?
You can use the program expect (part of a TCL extension library) to achieve this.
It is pretty trivial to use.
Related
I am working on a tool that sends out automated reports to our clients. This specific client wants the file to be encrypted and then signed. I have tried several different methods, with hours of searching, and have not had much luck. I know GPG signs then encrypts, but does anyone know if it is possible to swap the order? And if not does anyone know of any command line alternatives that can be run in a Linux container?
Example:
gpg --always-trust --batch --yes -s -u 'signee#email.com' -r 'receiver#email.com' -o 'test.txt.pgp' -e 'test.txt'
On verify :
gpg: verify signatures failed: Unexpected error
GPG doesn't seem to allow this in a single pass.
You have two options:
use a detached signing, then you'll need to send two files: one with encrypted data and second with the signature
encrypt data in first pass and then sign it in the second. However that would also need two steps on the receiving side: first verify signatures/unwrap data, then decrypt it.
Also it could be useful to ask client what exact format he expects to receive. Just example of gpg --list-packets report-file should be helpful.
I will be receiving PGP encrypted files from a customer through sFTP - I already have a process to automate pulling of files. Once I receive the encrypted file, I'd like to automate decryption.
I created a key pair with GoAnywhere OpenPGP Studio (public key will go to customer). I want to use the private key along with the secret passphrase in a batch file script that will run as a scheduled task in Windows Task Scheduler. This is my script:
gpg --keyring "C:\UserFolder\.openpgpstudio\keys\pubring.pkr" --secret-keyring "C:\UserFolder\.openpgpstudio\keys\secring.skr" --batch --yes --passphrase-fd "secretPassPhrase" -o "D:\FilePath\testPGP.txt" -d "D:\FilePath\testPGP.txt.pgp"
exit
When I try to run my script, there are still some manual steps needed to decrypt files - there are a couple issues I faced:
When executing the batch file, a command prompt window opens with the same script I have in my batch file. For decryption to occur and output a text file, I have to hit Enter. This is not automatic and would cause the scheduled task to get stuck.
Even though I am using the --passphrase-fd option, there are times when I am still prompted for the passphrase - this passphrase popup would also cause the scheduled task to get stuck running.
Is there a way to bypass these two manual steps so that my script is fully automated?
Follow up question: Does the -d option accept wildcard characters so that I can just decrypt any found file with a .pgp extension, and am I able to use the -o option to output a .txt file of the same name as the .pgp file?
--passphrase-fd option should be used with file descriptor (i.e. number like 3, 4, 5 and so on), not the password string. You should use --passphrase option, adding --pinentry-mode=loopback. Currently most likely it works since password is asked via popup and cached.
-d with wildcards doesn't work, however you may use simple script to iterate over all files with pgp extension
I would like to execute the below curl command and specify my own key store.
I tried using --cacert option and specified the path of the cacert jks.
curl --ssl-reqd --url 'smtp://mailhost.myorg.com:587' --user 'usrid:pwd' --mail-from 'fromaddr#myorg.com' --mail-rcpt 'toaddr#myorg.com' --upload-file mail.txt -vv --cacert /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.272.b10-1.el7_9.x86_64/jre/lib/security/cacerts
But it resulted in an error.
curl: (77) Problem with the SSL CA cert (path? access rights?)
As Amit quoted, curl --cacert requires a file in PEM format -- but the Java cacerts file is in JKS format, which is massively different.
You can convert the certs from JKS format to PEM format with a script, something like:
jks=/usr/lib/jvm/$javaversion/jre/lib/security/cacerts
for c in $(keytool -keystore $jks -storepass changeit -list | awk -F, '/trustedCert/{print $1}'); do
keytool -keystore $jks -storepass changeit -exportcert -alias $c -rfc
done >pemfile
# for Java9 up use -cacerts instead of -keystore $jks
which maybe makes this marginally on-topic for SO, since your Q isn't about programming at all. Instead of doing all the certs you could do a selected one, or few, that are needed for the connections you want to make and validate.
But for RedHat (as tagged) this isn't necessary. In RedHat (and RH-based) Open JDK packages JRE/lib/security/cacerts is actually a symlink to /etc/pki/java/cacerts which is supplied by a different package ca-certificates.noarch -- which also supplies the same certs already in PEM format in /etc/pki/tls/cert.pem so you could use that directly (in spite of the name appearing singular it actually contains, or rather links to a file containing, many certs) AND in NSS format in /etc/pki/nssdb/* which is what the RH package of curl uses by default. Thus your curl already by default uses the same certs you can get from the Java cacerts file, so this effort accomplishes nothing at all.
when using --cacert you need to specify the certificate - e.g - /tmp/ca.crt
From the docs:
--cacert (HTTPS) Tells curl to use the specified certificate file to verify the peer. The file may contain multiple CA certificates. The
certificate(s) must be in PEM format. If this option is used several
times, the last one will be used.
--capath (HTTPS) Tells curl to use the specified certificate directory to verify the peer. The certificates must be in PEM format, and the
directory must have been processed using the c_rehash utility supplied
with openssl. Certificate directories are not supported under Windows
(because c_rehash uses symbolink links to create them). Using --capath
can allow curl to make https connections much more efficiently than
using --cacert if the --cacert file contains many CA certificates. If
this option is used several times, the last one will be used.
So, if you specify --cacert, the CA certs are stored in the specified file. These CA certificates are used to verify the certs of remote servers that cURL connects to.
The --capath option is used to specify a directory containing the CA certs rather than a single file.
I have been trying multiple different ways to decrypt using a Windows batch file. Moving the options around will a) cause the passphrase prompt to pop up or b) the batch file simply failing with a message that the passphrase was not found. There is lots of info online but most of them are old and no longer applicable to the newer version of GPG.
When I do get prompted for the passphrase the files decrypt just fine
Using GPG 2.2.19
Below is the line from the batch file. Can anyone see what is wrong? I understand putting the --password string in the batch-file is not good practice but there only 2 trusted admins on this Windows machine (Win 2012 R2) and we both need the decryption tasks automated.
Batch file:
CD "C:\Program Files (x86)\GnuPG\bin\"
GPG echo PASSPHRASE|gpg --batch --pinentry-mode loopback -o X:\OUTPUTDIRECTORY\FILENAME.CSV --passphrase-fd 0 -d X:\ENCRYPTEDFILEDIRECTORY\FILENAME.gpg
The correct answer is below. Note the quotes, absence of --batch, elimination of echo and PASSPHRASE|gpg. The placement of the options must be exactly like that. I have tested this numerous times and set up windows task scheduler to execute the batch file, everything runs perfect.
gpg --pinentry-mode=loopback --passphrase "YOURPASSPHRASE" -d -o "X:\OUTPUT DIRECTORY\FILENAME.csv" "X:\ENCRYPTEDFILEDIRECTORY\FILENAME.gpg"
Learning about big query on google app engine and wanted to try out this library that also required me to know about Converting the service account credential to other formats. I have tried the command
# Convert the key from pkcs12 to pkcs1 (PEM).
$ cat /path/to/xxxx-privatekey.p12 | openssl pkcs12 -nodes -nocerts -passin pass:notasecret | openssl rsa > /path/to/secret.pem
on the command line but I get
'cat' is not recognized as an internal or external command,
operable program or batch file.
How do I resolve this?
Use windows powershell. WIndows 7 afterwards, it comes along with the windows.
Use 'Windows PowerShell' to the 'cat' Command, It'll work.