GPG自动解密密码传递 [英] GPG automatic decryption password passing
问题描述
我们从第三方收到GPG加密文件。我修改找到加密文件,解密它们,并删除那些加密的C#程序。它除了它提示输入phassphrase解密部分在所有的作品;我知道密码,输入的时候它的作品。我需要通过密码的命令,这样永远不会出现的提示。
字符串的CommandText =的String.Format(回声{0 } | gpg.exe --keyring {1} --secret,钥匙圈{2} --batch --yes --passphrase-FD 0 -o {3} -d {4},
口令,publicKeyRingPath ,secretKeyRingPath,outputFullPath,encryptedFilePath);
我也尝试:
字符串的CommandText =的String.Format(gpg.exe --keyring {1} --secret,钥匙圈{2} --batch --yes --passphrase {0} -o {3} -d {4},
字符串的CommandText =的String.Format(gpg.exe --keyring {1} --secret,钥匙圈{2} --batch --yes --passphrase-FD {0} -o {3} -d {4},
,以及其他多种变化。
这是GnuPG的运行为Windows 2.1.0.57899
在情况下,问题是其他地方的这里是一串代码,主要写我的前任:
公共BOOL decryptInputFile(字符串encryptedFilePath,串outputFullPath,出字符串消息)
{
消息=decryptInputFile:启动;
试
{
的ProcessStartInfo PSI =新的ProcessStartInfo(cmd.exe的)
{
CreateNoWindow = TRUE,
UseShellExecute = TRUE,
RedirectStandardInput = TRUE,
RedirectStandardOutput = TRUE,
RedirectStandardError = TRUE,
工作目录= decryptPath,
};
消息=decryptInputFile:PSI初始化使用
(工艺过程=的Process.Start(PSI))
{
字符串的CommandText =的String.Format(回声{0} | gpg.exe --keyring {1} --secret -keyring {2} --batch --yes --passphrase-FD 0 -o {3} -d {4},
密码,publicKeyRingPath,secretKeyRingPath,outputFullPath,encryptedFilePath);
process.StandardInput.WriteLine(CommandText中);
process.StandardInput.Flush();
process.StandardInput.Close();
process.WaitForExit();
process.Close();
process.Dispose();
消息=decryptInputFile:成功;
//上述过程不会关闭它不断被删除的文件。
的foreach(在Process.GetProcessesByName过程P(GPG)){P.Kill(); }
的foreach)(方法中Process.GetProcessesByName(Pgpg2)){P.Kill(; }
}
}
赶上(例外X)
{
//如果有错误,我们要去吃它,只是让用户知道我们失败了。
消息=decryptInputFile:错误:+ x.Message;
串errMessage =错误:无法解密。+ x.Message +\r\\\
File.AppendAllText(System.Configuration.ConfigurationSettings.AppSettings [日志路径],errMessage);
返回false;
}
如果(File.Exists(outputFullPath)及&放大器; File.Exists(encryptedFilePath))
{
File.Delete(encryptedFilePath);
}
返回File.Exists(outputFullPath);
}
问题
您正在使用的GnuPG 2,只允许在 - 密码*与 选项一起 - 。批
使用 - 批
的
- 密码* 选项是为了用于编写脚本。 GnuPG的2限制它们(可能是慢慢地自嘲出来),到 - 批模式,其中的GnuPG不执行任何交互(如询问你的密码或其他对话)。
虽然这仍然是可能的,它可能是最好使用 GPG代理密码预设,它可让您从您的应用程序代码中完全删除密码。注意的的含义 - 密码(系统上的所有用户都可以读取它,只要GnuPG的运行!)和 - 密码文件(将密码存储在硬盘上,注意权限)。
预设密码短语
使用GnuPG 2首选方法是预置在 GPG-剂,它的GnuPG在很大程度上依赖于密码;在GnuPG的2.1的情况下,即使处理私钥和自己的完全密码操作。
不过,要拯救你,GnuPG的2带来了一个新的工具, GPG-预置密码。在Debian Linux的,它隐藏在 / usr / lib目录/ gnupg2 / ,我不知道它是存储在Windows中。
从男子GPG-预置密码:
的
GPG-预置密码是种子正在运行的GPG-剂使用密码的内部缓存中的实用程序。对于要使用的密钥是在机器启动时给了它是用于无人值守的机器,其中,可以不使用通常的的pinentry工具和口令主要用
[...]
GPG-预置密码被调用是这样的:GPG-预置密码[选项] [命令] cacheid
cacheid是个十六进制字符以标识的密码应该是主要的40个字符keygrip设置或清除。 [...]
之一下列命令选项必须给出:
- 预置
预置一个密码。这就是通常你会用什么。然后
GPG-预置密码将读取从标准输入密码。
要包裹起来,初始化的GnuPG当你的应用程序(和对应配置的缓存时间)运行intervalls
GPG-预置密码--preset [指纹],它会读取从标准输入口令,或附加使用- 密码密码选项直接设置在你的查询。请注意,同时使用回声或时 - 密码的办法,其他系统的用户可能会通过上市过程中的密码抓住。更好地直接写入到进程的从C#标准输入。We receive GPG encrypted files from a third party. I'm modifying a C# program that finds the encrypted files, decrypts them, and deletes the encrypted ones. It all works except during the decryption part it prompts for a phassphrase; I know the passphrase and it works when entered. I need to pass the passphrase in the command so the prompt never appears.
string CommandText = string.Format("echo {0}|gpg.exe --keyring {1} --secret-keyring {2} --batch --yes --passphrase-fd 0 -o {3} -d {4}", passPhrase, publicKeyRingPath, secretKeyRingPath, outputFullPath, encryptedFilePath);I have also tried:
string CommandText = string.Format("gpg.exe --keyring {1} --secret-keyring {2} --batch --yes --passphrase {0} -o {3} -d {4}", string CommandText = string.Format("gpg.exe --keyring {1} --secret-keyring {2} --batch --yes --passphrase-fd {0} -o {3} -d {4}",As well as several other variations.
This is running GnuPG for Windows 2.1.0.57899
In case the issues is elsewhere here is a bunch of code primarily written by my predecessor:
public bool decryptInputFile(string encryptedFilePath, string outputFullPath, out string message) { message = "decryptInputFile: Started"; try { ProcessStartInfo psi = new ProcessStartInfo("cmd.exe") { CreateNoWindow = true, UseShellExecute = true, RedirectStandardInput = true, RedirectStandardOutput = true, RedirectStandardError = true, WorkingDirectory = decryptPath, }; message = "decryptInputFile: PSI Initialized"; using (Process process = Process.Start(psi)) { string CommandText = string.Format("echo {0}|gpg.exe --keyring {1} --secret-keyring {2} --batch --yes --passphrase-fd 0 -o {3} -d {4}", passPhrase, publicKeyRingPath, secretKeyRingPath, outputFullPath, encryptedFilePath); process.StandardInput.WriteLine(CommandText); process.StandardInput.Flush(); process.StandardInput.Close(); process.WaitForExit(); process.Close(); process.Dispose(); message = "decryptInputFile: Success"; //These processes don't close and it keeps the file from being deleted. foreach (Process P in Process.GetProcessesByName("gpg")) { P.Kill(); } foreach (Process P in Process.GetProcessesByName("gpg2")) { P.Kill(); } } } catch (Exception x) { // If there was an error, we're going to eat it and just let the user know we failed. message = "decryptInputFile: Error: " + x.Message; string errMessage = "ERROR: could not decrypt. " + x.Message + "\r\n"; File.AppendAllText(System.Configuration.ConfigurationSettings.AppSettings["LogPath"], errMessage); return false; } if (File.Exists(outputFullPath) && File.Exists(encryptedFilePath)) { File.Delete(encryptedFilePath); } return File.Exists(outputFullPath); }
解决方案The Problem
You're using GnuPG 2, which only allows the
--passphrase*options together with--batch.Using
--batchThe
--passphrase*options are meant to be used for scripting. GnuPG 2 limits them (probably for slowly deprecating them out) to the--batchmode, where GnuPG does not perform any interaction (eg., asking for your passphrase or other "dialogues").While this is still possible, it might be preferable to use the password presetting in
gpg-agentinstead, which allows you to remove the passphrase completely from your application code. Note the implications of--passphrase(all users on your system can read it, as long as GnuPG is running!) and--passphrase-file(the passphrase is stored on the hard disk, watch out for permissions).Presetting the Passphrase
Preferred method with GnuPG 2 is to preset the passphrase in
gpg-agent, which GnuPG heavily relies on; in case of GnuPG 2.1 the even handles private key and passphrase operations completely on its own.But, to your rescue, GnuPG 2 brings a new tool,
gpg-preset-passphrase. On Debian Linux, it hides in/usr/lib/gnupg2/, I don't know where it is stored in Windows.From
man gpg-preset-passphrase:The
gpg-preset-passphraseis a utility to seed the internal cache of a runninggpg-agentwith passphrases. It is mainly useful for unattended machines, where the usualpinentrytool may not be used and the passphrases for the to be used keys are given at machine startup.[...]
gpg-preset-passphraseis invoked this way:gpg-preset-passphrase [options] [command] cacheid
cacheidis either a 40 character keygrip of hexadecimal characters identifying the key for which the passphrase should be set or cleared. [...]One of the following command options must be given:
--preset Preset a passphrase. This is what you usually will use. gpg-preset-passphrase will then read the passphrase from stdin.
To wrap up, when initialising GnuPG for your application (and in intervalls corresponding to the configured cache time) run
gpg-preset-passphrase --preset [fingerprint], which will read the passphrase from stdin, or additionally use a--passphrase passphraseoption to directly set it in your query. Be aware that when using both the echo or--passphraseapproach, other system users might get hold of the passphrase by listing processes; better directly write to the process' stdin from C#.这篇关于GPG自动解密密码传递的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
