From 07c19981da0607dc442fadc4079b1d71fbef8f83 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 23 Sep 2018 14:10:17 -0400 Subject: gpg: add --passphrase-env VARNAME to read passphrase from environment * g10/keydb.h: declare set_passphrase_from_environment_variable() * g10/passphrase.c: set_passphrase_from_environment_variable() new function * g10/gpg.c: add new --passphrase-env argument, handle it. -- There are problems or difficulties (to varying degrees) with all of the techniques available for sending a passphrase directly to the GnuPG process when --pinentry-mode=loopback: * Passphrases on the command line often leak into the process table. * Passphrases in a file often leak into the disk. * Using an extra file descriptor to send a passphrase works well on platforms that make it easy to allocate and use extra file descriptors, but is pretty awkward on platforms that don't facilitate this. So this patch adds a new form of passphrase-passing, using an environment variable. In POSIX shell, this looks like (for example): mypass="IUuKctdEhH8' gpg --batch --pinentry-mode=loopback\ --passphrase-env=mypass --decrypt < message.txt Hopefully, this is easier to use than --passphrase-fd on platforms or language toolkits that don't facilitate file descriptor manipulation. Signed-off-by: Daniel Kahn Gillmor --- g10/keydb.h | 1 + 1 file changed, 1 insertion(+) (limited to 'g10/keydb.h') diff --git a/g10/keydb.h b/g10/keydb.h index 1def2bb81..db88df9f8 100644 --- a/g10/keydb.h +++ b/g10/keydb.h @@ -279,6 +279,7 @@ gpg_error_t build_sk_list (ctrl_t ctrl, strlist_t locusr, unsigned char encode_s2k_iterations (int iterations); int have_static_passphrase(void); const char *get_static_passphrase (void); +void set_passphrase_from_environment_variable(const char *envvar); void set_passphrase_from_string(const char *pass); void read_passphrase_from_fd( int fd ); void passphrase_clear_cache (const char *cacheid); -- cgit v1.2.3