From 07c19981da0607dc442fadc4079b1d71fbef8f83 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 23 Sep 2018 14:10:17 -0400 Subject: gpg: add --passphrase-env VARNAME to read passphrase from environment * g10/keydb.h: declare set_passphrase_from_environment_variable() * g10/passphrase.c: set_passphrase_from_environment_variable() new function * g10/gpg.c: add new --passphrase-env argument, handle it. -- There are problems or difficulties (to varying degrees) with all of the techniques available for sending a passphrase directly to the GnuPG process when --pinentry-mode=loopback: * Passphrases on the command line often leak into the process table. * Passphrases in a file often leak into the disk. * Using an extra file descriptor to send a passphrase works well on platforms that make it easy to allocate and use extra file descriptors, but is pretty awkward on platforms that don't facilitate this. So this patch adds a new form of passphrase-passing, using an environment variable. In POSIX shell, this looks like (for example): mypass="IUuKctdEhH8' gpg --batch --pinentry-mode=loopback\ --passphrase-env=mypass --decrypt < message.txt Hopefully, this is easier to use than --passphrase-fd on platforms or language toolkits that don't facilitate file descriptor manipulation. Signed-off-by: Daniel Kahn Gillmor --- doc/gpg.texi | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'doc/gpg.texi') diff --git a/doc/gpg.texi b/doc/gpg.texi index 7f55cc7e3..55e31d2e7 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -670,7 +670,8 @@ used for no expiration date. If this command is used with @option{--batch}, @option{--pinentry-mode} has been set to @code{loopback}, and one of the passphrase options (@option{--passphrase}, -@option{--passphrase-fd}, or @option{passphrase-file}) is used, the +@option{--passphrase-fd}, @option{--passphrase-env}, or +@option{passphrase-file}) is used, the supplied passphrase is used for the new key and the agent does not ask for it. To create a key without any protection @code{--passphrase ''} may be used. @@ -3172,6 +3173,14 @@ Note that since Version 2.0 this passphrase is only used if the option @option{--batch} has also been given. Since Version 2.1 the @option{--pinentry-mode} also needs to be set to @code{loopback}. +@item --passphrase-env @var{string} +@opindex passphrase-env +Use the value of the environment variable @var{string} as the passphrase. +This can only be used if only one passphrase is supplied. + +This passphrase is only used if the option @option{--batch} has also +been given, and if @option{--pinentry-mode} is set to @code{loopback}. + @item --pinentry-mode @var{mode} @opindex pinentry-mode Set the pinentry mode to @var{mode}. Allowed values for @var{mode} -- cgit v1.2.3