Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. GnuPG>
  3. devel
Feature request. An option in gpg to copy STDIN to STDOUT instead of nowhere.
gnupg-devel at gnupg
Dec 18, 2023, 1:40 PM
Post #1 of 6 (242 views)
Permalink
Hello,

The command "gpg --decrypt" takes a file or STDIN as input and decrypts, tries to, the part between
-----BEGIN PGP MESSAGE-----
...
-----END PGP MESSAGE-----
and also throws away every thing else.

I would like to have an option reproducing the uncrypted part of STDIN to STDOUT,
instead of throwing it away.


An example of need is to transform a bunch of encrypted emails to
their deciphered version, the Unix philosophy way, ie, suitable in a pipe, or more.


Something like:

P=mysecretpass
cat mailbox.txt | gpg --decrypt --batch --no-tty --passphrase=$P --allow-multiple-messages 2>/dev/null | more

Three questions:

1) Is it a complicated task, considering the gpg code architecture?

2) Can someone who see the whole gpg picture give me some clue and a starting point?

3) What is the eagerness to include such an option in gpg?
Is it a clear NO or a YES or Why not if done well?

4) How about the option name?

--cat # act like cat
--parrot # be a parrot
--copy-stdin-to-stdout # long and less cryptic
--???


Thanks!

--
Au revoir,
Gilles Lamiral. France, Baulon (35580)
mob +33 6 19 22 03 54
tel +33 9 51 84 42 42
fax +33 9 56 84 42 42

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-devel
Re: Feature request. An option in gpg to copy STDIN to STDOUT instead of nowhere. [ In reply to ]
kloecker at kde
Dec 18, 2023, 11:38 PM
Post #2 of 6 (242 views)
Permalink
On Montag, 18. Dezember 2023 22:40:31 CET Gilles LAMIRAL via Gnupg-devel
wrote:
> The command "gpg --decrypt" takes a file or STDIN as input and decrypts,
> tries to, the part between
> -----BEGIN PGP MESSAGE-----
> ...
> -----END PGP MESSAGE-----
> and also throws away every thing else.

That's exactly what --decrypt is supposed to do. Try running gpg without
--decrypt.

Also, use https://dev.gnupg.org to submit feature requests.

Regards,
Ingo

Attached Files:

Re: Option in gpg to copy STDIN to STDOUT instead of nowhere. [ In reply to ]
gnupg-devel at gnupg
Dec 19, 2023, 5:53 AM
Post #3 of 6 (242 views)
Permalink
Hello,


>> The command "gpg --decrypt" takes a file or STDIN as input and decrypts,
>> tries to, the part between
>> -----BEGIN PGP MESSAGE-----
>> ...
>> -----END PGP MESSAGE-----
>> and also throws away every thing else.
>
> That's exactly what --decrypt is supposed to do. Try running gpg without
> --decrypt.


I tried gpg without --decrypt and the behavior is the same, STDIN is thrown away
but the "-----PGP MESSAGE-----" block deciphered.

So, what is the option to get gpg reproducing STDIN to STDOUT?



--
Au revoir,
Gilles Lamiral. France, Baulon (35580)
mob +33 6 19 22 03 54
tel +33 9 51 84 42 42
fax +33 9 56 84 42 42


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-devel
Re: Option in gpg to copy STDIN to STDOUT instead of nowhere. [ In reply to ]
gnupg-devel at gnupg
Dec 19, 2023, 6:42 AM
Post #4 of 6 (242 views)
Permalink
On 19 Dec 2023, at 13:53, Gilles LAMIRAL via Gnupg-devel <gnupg-devel@gnupg.org> wrote:
>
> >> The command "gpg --decrypt" takes a file or STDIN as input and decrypts,
> >> tries to, the part between
> >> -----BEGIN PGP MESSAGE-----
> >> ...
> >> -----END PGP MESSAGE-----
> >> and also throws away every thing else.
> >
> > That's exactly what --decrypt is supposed to do. Try running gpg without
> > --decrypt.
>
>
> I tried gpg without --decrypt and the behavior is the same, STDIN is thrown away
> but the "-----PGP MESSAGE-----" block deciphered.
>
> So, what is the option to get gpg reproducing STDIN to STDOUT?

Transparently decrypting inline messages opens you up to all sorts of smuggling attacks, where it is not clear from the output which parts of the message were encrypted or not. It is therefore not a good idea in general to implement this (see: efail).

However, if you have a specific use case that requires it, and you understand and accept the risk, you could try wrapping it in a loop like this (beware this is NOT TESTED):

while true; do
IFS= read -r line
while [[ $line != “-----BEGIN PGP MESSAGE-----” ]]; do
echo “$line”
IFS= read -r line
done
echo “<<<<<BEGIN DECRYPTED MESSAGE>>>>>"
{
while [[ $line != “-----END PGP MESSAGE-----” ]]; do
echo “$line”
IFS= read -r line
done
echo "$line"
} | gpg --decrypt --batch --no-tty --passphrase=“$P" 2>/dev/null
echo “<<<<<END DECRYPTED MESSAGE>>>>>"
done < mailbox.txt > decrypted-mailbox.txt

A

Attached Files:

Re: Option in gpg to copy STDIN to STDOUT instead of nowhere. [ In reply to ]
gnupg-devel at gnupg
Dec 20, 2023, 5:49 AM
Post #5 of 6 (242 views)
Permalink
On Tue, 19 Dec 2023 14:42, Andrew Gallagher said:

> Transparently decrypting inline messages opens you up to all sorts of
> smuggling attacks, where it is not clear from the output which parts

Right.

> while true; do
> IFS= read -r line
> while [[ $line != “-----BEGIN PGP MESSAGE-----” ]]; do
> echo “$line”
> IFS= read -r line
> done
> echo “<<<<<BEGIN DECRYPTED MESSAGE>>>>>"

FWIW, here we get into the first trouble. Inserting a plaintext
followed by some pages of white space or several FF after the BEGIN
header followed by another BEGIN header allows to push something else
underneath a signed (and encrypted) message.

That is also why PGP/MIME is a better way to send mails than inline PGP.


Shalom-Salam,

Werner

--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein

Attached Files:

Re: Option in gpg to copy STDIN to STDOUT instead of nowhere. [ In reply to ]
gnupg-devel at gnupg
Dec 21, 2023, 10:23 PM
Post #6 of 6 (237 views)
Permalink
Hi Andrew


> However, if you have a specific use case that requires it

Some use cases requested by imapsync users:

a) Make a copy of a mailbox with all messages deciphered, if any.
b) Do a grep in all messages of a mailbox, searching for an email based on its content.
c) Do some statistics about email content; it's similar to b).


This is not a popular request anyway.
It's because nearly nobody encrypts his emails.

> you could try wrapping it in a loop like this (beware this is NOT TESTED):
>

Thanks for this code!

I was about to write a tool doing the "act like cat" feature request but
I wondered if it could be easier to code it inside a known decipher tool.

It has to be reliable and safe from a content point of view,
leaving STDOUT as STDIN in case of a failure to decipher,
STDERR being ok to carry anything.




--
Au revoir,
Gilles Lamiral. France, Baulon (35580)
mob +33 6 19 22 03 54
tel +33 9 51 84 42 42
fax +33 9 56 84 42 42



_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-devel

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal