Mailing List Archive

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 07/29/2013 11:02 PM, Hauke Laging wrote:
> Hello,
>
> is it possible to change a passphrase in batch mode?
>

From what the man pages say, no. You can delete keys and there
is experimental key creation with notes in the doc/DETAILS of
of the source code on how to do that. Alterations to code?
Look at the experimental key creation to get some ideas.

You are of course free to investigate using expect, expectk, or
tk on Linux / Unix. Things like sh / ksh / bash, PERL, BAT, or
PowerShell won't work. I haven't looked at the GnuPG source
code in a long time but if which ever of gpg or gp2 you are
using does a dup() or dup2() of STDIN then after the
"gpg --edit-key KEY" then an internal passwd command you will
have to wait before giving it the old pass-phrase, new
pass-phrase, and then save.

For two way across distance the other side may need the new
public key after the pass-phrase change (not tested). I would
backup my ~/.gnupg ('nix) or gnupg (somewhere down inside your
Windows %UserProfile% folder) before doing tests in case you
do irreperable damage.

HHH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQEcBAEBCAAGBQJR9yggAAoJEMhFIk/IOUbwyzIH/jHSIqoFC5eP6U5Qn2G9K5R+
fPu7INvu1YMK+yckFlOxCRmvNx4+zUMuSnj7Ull3QavIG8qOnr9WDCEn2X6lPXTw
LRmF/Woc3eD7XRQmf1TaWBpSdqQL7W9PKXoS3HWMI62LtIAnTptH6E1B8NJzIQSK
+P3AOS2mVZ/GfTlK6LQgiNvXlQ8zhGUYrj5z0QxviKUdezuh1VeSeU2QMSVxooJy
+valEOYdt66GE81lGjV//rPUtJyZBxNYotx4TdqCeLZ7zAOnfMVfJLHYb17qtbAl
VenVBWgevhChkoF6SCD+MzPeF+8qSWpDE5V5wqmA5J8bnKhMC1xbS2C8Ar135S8=
=jc/h
-----END PGP SIGNATURE-----

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On Tue, 30 Jul 2013 04:42, hhhobbit@securemecca.net said:

>>From what the man pages say, no. You can delete keys and there
> is experimental key creation with notes in the doc/DETAILS of

With gpg2 you can do:

gpg2 --passwd KEYID

Of course it will use the pinentry to ask for the old an new passphrase.
You may use a pinentry wrapper as usual or with 2.1-beta the pinentry
loopback mode.

GPGME has

/* Change the passphrase for KEY. FLAGS is reserved for future use
and must be passed as 0. This is the synchronous variant. */
gpgme_error_t
gpgme_op_passwd (gpgme_ctx_t ctx, gpgme_key_t key, unsigned int flags);

this convenience function.


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Am Di 30.07.2013, 09:28:24 schrieb Werner Koch:

> With gpg2 you can do:
>
> gpg2 --passwd KEYID
>
> Of course it will use the pinentry to ask for the old an new passphrase.
> You may use a pinentry wrapper as usual or with 2.1-beta the pinentry
> loopback mode.

I am limited to the content of Knoppix (which is 1.4.x). Is it possible to
write a pinentry wrapper in shell code (again: limited to what Knoppix has) or
does that require more sophisticated programming?


Hauke
--
Crypto für alle: http://www.openpgp-schulungen.de/fuer/bekannte/
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5

On Tue, 30 Jul 2013 12:57, mailinglisten@hauke-laging.de said:

> I am limited to the content of Knoppix (which is 1.4.x). Is it possible to
> write a pinentry wrapper in shell code (again: limited to what Knoppix

Sure. Here is a very basic one:

#!/bin/sh
# Copyright 2011 Free Software Foundation, Inc.
# This file is free software; as a special exception the author gives
# unlimited permission to copy and/or distribute it, with or without
# modifications, as long as this notice is preserved. This file is
# distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY, to the extent permitted by law; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

echo "OK - what's up?"
while read cmd rest; do
echo "cmd=$cmd rest=$rest" >&2
case "$cmd" in
\#*)
;;
GETPIN)
echo "D ${PINENTRY_USER_DATA}"
echo "OK"
;;
BYE)
echo "OK"
exit 0
;;
*)
echo "OK"
;;
esac
done

It simply echos the content of the envvar PINENTRY_USER_DATA which is
passed from gpg to via gpg-agent to the pinentry. A more useful script
would use this variable to convey control information to the script.



Shalom-Salam,

Werner


--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Am Di 30.07.2013, 14:28:49 schrieb Werner Koch:

> Sure. Here is a very basic one:

Took me some time to give that a try but...


> echo "OK - what's up?"
> while read cmd rest; do
> echo "cmd=$cmd rest=$rest" >&2
> case "$cmd" in
> \#*)
> ;;
> GETPIN)
> echo "D ${PINENTRY_USER_DATA}"
> echo "OK"
> ;;
> BYE)
> echo "OK"
> exit 0
> ;;
> *)
> echo "OK"
> ;;
> esac
> done

That works, thanks a lot. I added
GETINFO)
if [ "pid" = "$rest" ]; then
echo "D $$"
fi
echo "OK"
;;


> It simply echos the content of the envvar PINENTRY_USER_DATA which is
> passed from gpg to via gpg-agent to the pinentry.

This simple example works if just one passphrase is needed (e.g. signing). The
problem is that pinentry is called three times when the passphrase is changed.
I could put both the old and the new passphrase in PINENTRY_USER_DATA.
Unfortunately it is not obvious for pinentry (or rather: me looking at the
communication) which of the three calls is the current one. That may be
detectable but seems too complicated. My solution is that I let the wrapper
read the data from a FIFO. Before gpg --passwd is called the three passphrases
are written to the FIFO.


I wonder why none of these commands (GETPIN, GETINFO, not even BYE) are
explained on
http://www.gnupg.org/documentation/manuals/gnupg/Agent-Protocol.html


Hauke
--
Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/
http://userbase.kde.org/Concepts/OpenPGP_Help_Spread
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/12/13 08:38, Hauke Laging wrote:
> I wonder why none of these commands (GETPIN, GETINFO, not even BYE) are
> explained on
> http://www.gnupg.org/documentation/manuals/gnupg/Agent-Protocol.html

I suppose because that is the agent protocol description, not the pinentry
protocol description. They're both Assuan protocols, but they're different
protocols. I can get a description of the pinentry protocol simply by:

$ info pinentry

HTH,

Peter.

- --
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On Wed, 16 Mar 2022 09:26, Daniel Kilimnik said:

> mode. With --pinentry-mode loopback --passphrase-fd 0 activated. It asks
> for my current passphrase, but then exits with a success.

--passphrase-fd works only if a password is request but not if two
passwords are quested (the old one and the new one). You need to use
the --command-fd thingy and write a state machine for this. Here is a
manual example

--8<---------------cut here---------------start------------->8---
$ gpg --pinentry-mode loopback --status-fd 2 -v --batch --command-fd 0 --passwd FE894309B6844A3004FE8BF9476CAB1C3623CAA6
[GNUPG:] KEY_CONSIDERED FE894309B6844A3004FE8BF9476CAB1C3623CAA6 0
[GNUPG:] INQUIRE_MAXLEN 100
[GNUPG:] GET_HIDDEN passphrase.enter
abc
[GNUPG:] GOT_IT
[GNUPG:] INQUIRE_MAXLEN 100
[GNUPG:] GET_HIDDEN passphrase.enter
def
[GNUPG:] GOT_IT
[GNUPG:] SUCCESS keyedit.passwd
--8<---------------cut here---------------end--------------->8---


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

Thanks, that does work, but is is also possible to set an empty
passphrase i.e. remove the passphrase with this method?

Best,
Daniel

Am Do., 17. März 2022 um 10:26 Uhr schrieb Werner Koch <wk@gnupg.org>:

> On Wed, 16 Mar 2022 09:26, Daniel Kilimnik said:
>
> > mode. With --pinentry-mode loopback --passphrase-fd 0 activated. It asks
> > for my current passphrase, but then exits with a success.
>
> --passphrase-fd works only if a password is request but not if two
> passwords are quested (the old one and the new one). You need to use
> the --command-fd thingy and write a state machine for this. Here is a
> manual example
>
> --8<---------------cut here---------------start------------->8---
> $ gpg --pinentry-mode loopback --status-fd 2 -v --batch --command-fd 0
> --passwd FE894309B6844A3004FE8BF9476CAB1C3623CAA6
> [GNUPG:] KEY_CONSIDERED FE894309B6844A3004FE8BF9476CAB1C3623CAA6 0
> [GNUPG:] INQUIRE_MAXLEN 100
> [GNUPG:] GET_HIDDEN passphrase.enter
> abc
> [GNUPG:] GOT_IT
> [GNUPG:] INQUIRE_MAXLEN 100
> [GNUPG:] GET_HIDDEN passphrase.enter
> def
> [GNUPG:] GOT_IT
> [GNUPG:] SUCCESS keyedit.passwd
> --8<---------------cut here---------------end--------------->8---
>
>
> Salam-Shalom,
>
> Werner
>
> --
> Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
>