Mailing List Archive

On Mon, 30 Aug 1999 phil@Stimpy.netroedge.com wrote:

> OK, I've been tearing my hair out over a simple implementation of a Perl
> CGI which uses GPG. I've got this test CGI:
>
> If I run it on the command line (as the user which the web server runs
> under), I get the expected out (i.e., the environment followed by my
> encrypted 'blah').
>
> If I run it as a CGI through Apache, I only get the environment and not
> any encrypted message! For some reason, GPG doesn't run when it is in a
> CGI for me. :'( I've made sure that my key is available for the user which
> the web server is running as, and have done everything else I can think
> of.

What if you redirect stderr to stdout?

How does gpg find your keyring? Did you do a 'export HOME=/home/myname' ?

Greetings,
Lennert

> > OK, I've been tearing my hair out over a simple implementation of a Perl
> > CGI which uses GPG. I've got this test CGI:
> >
> > If I run it on the command line (as the user which the web server runs
> > under), I get the expected out (i.e., the environment followed by my
> > encrypted 'blah').
> >
> > If I run it as a CGI through Apache, I only get the environment and not
> > any encrypted message! For some reason, GPG doesn't run when it is in a
> > CGI for me. :'( I've made sure that my key is available for the user which
> > the web server is running as, and have done everything else I can think
> > of.
>
> What if you redirect stderr to stdout?
>
> How does gpg find your keyring? Did you do a 'export HOME=/home/myname' ?

The most common problems I have when doing this stuff are, making sure
the user that Apache is running as (usually "nobody" or "www") has all
the right permissions to do what it needs (read keyrings, etc), and
making sure gpg knows where the keyrings live. You also need to make
sure that all the keys you're using are trusted, or it'll spit out a
prompt asking you "are you sure" or something.

The user Apache runs as (I'll use "nobody" as an example) shouldn't
have a shell or home directory. To test permissions as user nobody,
you can be root and "su -m nobody" before running the script in the
shell. This leaves the environment and shell the same as they were
when you were root, so it doesn't test things exactly as if you were
running in Apache, but it will tell you if permissions are correct or
not.

Alan

phil@Stimpy.netroedge.com, at 17:05 on Mon, 30 Aug 1999, wrote:

> Ideally, it would be cool if there was a Perl module which allowed Perl
> access to GPG routines. Does this exist? Using back-ticks to get to the
> shell is a drag (and not all that secure). :'p

Visit the all-encompassing CPAN (http://www.cpan.org). There are a couple
modules.

--
Frank Tobin "To learn what is good and what is to be
www.neverending.org/~ftobin valued, those truths which cannot be
shaken or changed." Myst: The Book of Atrus

PGPenvelope = GPG and PGP5 + Pine PGP: 4F86 3BBB A816 6F0A 340F
www.neverending.org/~ftobin/resources.html 6003 56FF D10A 260C 4FA3

OK, thanks to all the great suggestions and polite advice! I managed to
get it partially working, but it wasn't very easy. In the end, I used the
CPAN module for GPG mentioned by Frank (actually, it looks like he wrote
it! :'), but it had the same problems that I had in my own code. It worked
eventually, but I did have to modify the environment first:

$ENV{"GNUPGHOME"}="/home/nobody/.gnupg";

As Alan suggested, the user which Apache was running under was indeed
'nobody' (as I expected). I made a 'home directory' for this user to keep
things like GPG keys. But, GPG still wasn't finding them. Using the
"--homedir" parameter from within the script didn't work for some strange
reason (it worked from the command line...)! I also noticed that it
wasn't mentioned on a 'gpg -h', so I thought it might have been
depricated or something?!

In any event, using the environment setting above (and making sure
permissions were OK) fixed things. But, I can not have the CGI
encrypt+sign successfully. It automatically 'pops' back to interactive
mode prompting for the password for the secret key eventhough I supplied
it as CPAN specifies. I know having the password in a script isn't very
secure, but it seems better than having the secret key w/o any password
protection.

Thanks again for the help, and hopefully I can get encrypt+sign working
after some more fudging.


Phil

------------------------------------------------------------
Philip Edelbrock -- IS Manager -- Edge Design, Corvallis, OR
phil@netroedge.com -- http://www.netroedge.com/~phil
PGP F16: 01 D2 FD 01 B5 46 F4 F0 3A 8B 9D 7E 14 7F FB 7A

Hey! It works. With a little help from Frank, I got everything working
great. For those interested in doing some automated encypt+signing for
things like commerce servers, check out my simple CGI below:

---snip!---
#!/usr/bin/perl

use PGP::GPG::MessageProcessor;

print "Content-type: text/html\n\n";

$message[0]="This is just my bogus test message\n";
$message[1]="This is just my bogus test message line 2\n";

$messageProcessor = new PGP::GPG::MessageProcessor;
$passphrase="hellothere";
$recipient="phil\@stimpy.netroedge.com";
$messageProcessor->{extraArgs} = [ '--homedir', '/home/nobody/.gnupg' ];
$messageProcessor->{encrypt} = 1;
$messageProcessor->{sign} = 1;
$messageProcessor->{recipients} = [$recipient];
$messageProcessor->{interactive} = 0;
$messageProcessor->{armor} = 1;
$messageProcessor->{passphrase} = $passphrase;
$success = $messageProcessor->cipher( \@message );

print "<pre>";

print `env`;

print "testing-->\n\n";
print @message;
---snip!---

Thanks again!


Phil

------------------------------------------------------------
Philip Edelbrock -- IS Manager -- Edge Design, Corvallis, OR
phil@netroedge.com -- http://www.netroedge.com/~phil
PGP F16: 01 D2 FD 01 B5 46 F4 F0 3A 8B 9D 7E 14 7F FB 7A

phil@Stimpy.netroedge.com writes:

> "--homedir" parameter from within the script didn't work for some strange
> reason (it worked from the command line...)! I also noticed that it
> wasn't mentioned on a 'gpg -h', so I thought it might have been
> depricated or something?!

No, --help does only list the most important commands and options,
others are listed in the man page (we have currently 133 ;-).


--
Werner Koch at guug.de www.gnupg.org keyid 621CC013

> things like GPG keys. But, GPG still wasn't finding them. Using the
> "--homedir" parameter from within the script didn't work for some strange
> reason (it worked from the command line...)! I also noticed that it
> wasn't mentioned on a 'gpg -h', so I thought it might have been
> depricated or something?!

Hmm, --homedire switch works just fine in my scripts.
Petr

>
> In any event, using the environment setting above (and making sure
> permissions were OK) fixed things. But, I can not have the CGI
> encrypt+sign successfully. It automatically 'pops' back to interactive
> mode prompting for the password for the secret key eventhough I supplied
> it as CPAN specifies. I know having the password in a script isn't very
> secure, but it seems better than having the secret key w/o any password
> protection.
>
> Thanks again for the help, and hopefully I can get encrypt+sign working
> after some more fudging.
>
>
> Phil
>
> ------------------------------------------------------------
> Philip Edelbrock -- IS Manager -- Edge Design, Corvallis, OR
> phil@netroedge.com -- http://www.netroedge.com/~phil
> PGP F16: 01 D2 FD 01 B5 46 F4 F0 3A 8B 9D 7E 14 7F FB 7A
>

On Wed, 1 Sep 1999, Petr Danecek wrote:

>
> > things like GPG keys. But, GPG still wasn't finding them. Using the
> > "--homedir" parameter from within the script didn't work for some strange
> > reason (it worked from the command line...)! I also noticed that it
>[..]
> Hmm, --homedire switch works just fine in my scripts.
> Petr

Yeah, I did this:

$messageProcessor->{extraArgs} = [ '--homedir /home/nobody/.gnupg' ];

When I should have done this:

$messageProcessor->{extraArgs} = [ '--homedir', '/home/nobody/.gnupg' ];


I have it all working now, thanks. The only strange problem which
I had on my RedHat6.0 machine (which Frank couldn't reproduce on his
FreeBSD box) was a problem which produces repetitive output if a print
ending in a '\n' wasn't before calling:

$success = $messageProcessor->cipher( \@message);

I.e., this works as expected:

print "hi there\n";
$success = $messageProcessor->cipher( \@message);

This does not:

print "hi there";
$success = $messageProcessor->cipher( \@message);

The output look like:

[...]hi therehi there[...]


This seems to be a wacky bug in the Linux Perl provided by RedHat
from what I can tell. It isn't hard to avoid once it is known, though.

Thanks!


Phil

------------------------------------------------------------
Philip Edelbrock -- IS Manager -- Edge Design, Corvallis, OR
phil@netroedge.com -- http://www.netroedge.com/~phil
PGP F16: 01 D2 FD 01 B5 46 F4 F0 3A 8B 9D 7E 14 7F FB 7A