Mailing List Archive: How can I have gpg pause to receive its passphrase, before it starts outputing decrypt to stdout?

How can I have gpg pause to receive its passphrase, before it starts outputing decrypt to stdout?

Mar 16, 2024, 6:26 PM

Post #1 of 7 (94 views)

... (Windows 10) [DOS] cmd ... [*NOT* powershell]
... cygwin gpg ...

How can I have gpg pause to receive its passphrase, before it starts
outputing decrypt to stdout?
e.g. gpg -c < secretdata.json.pgp | jq | less
- less is happening before gpg has 'readlined' the passphrase, and
things get ... all confused.
[.I don't mind not seeing things (such as the password request) on
stdout, but herein it seems both less and gpg are trying to consume
stdin.]

So if gpg could finish getting its passphrase from 'readline' before
opening stdout (that less then sees to clear the screen and open its
window, and start showing its incoming data), things would be ...
unconfused.

So far:
( gpg.exe -d somefile.gpg | jq.exe ) | less

seems to do it (give gpg time to acquire the passphrase), but the
'()'s involved certainly weren't intuitive.

It there a way for 'gpg -d file.gpg' to finish acquiring the
passphrase (via 'readline') before it starts writing to stdout
(triggering less' screen clearing and stdout watching)?

I have come across '--batch' which seems no help, as it cuts off
stdin, preventing gpg -d from 'readlining' a passphrase.
(There seems a corresponding '--pinentry-mode loopback' to '--batch',
but that doesn't seem in play yet, to that point in the sequence.)

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How can I have gpg pause to receive its passphrase, before it starts outputing decrypt to stdout? [ In reply to ]

gnupg-users at gnupg

Mar 18, 2024, 6:54 AM

Post #2 of 7 (93 views)

Permalink

On Sat, 16 Mar 2024 21:26, B.S. said:
> ... (Windows 10) [DOS] cmd ... [*NOT* powershell]
> ... cygwin gpg ...

[.Do not use a Cygwin build of gpg - this is not supported. Use a
standard build for WIndows.]

> How can I have gpg pause to receive its passphrase, before it starts
> outputing decrypt to stdout?

Due to the way a pipe works there is not much you can do here. Except
for having some kind buffering tool in between. Howeverm if you known
the passphrase, you can pass it to gpg directly using --passphrase-file
and --pinentry-mode=loopback.

> So if gpg could finish getting its passphrase from 'readline' before
> opening stdout (that less then sees to clear the screen and open its

The pipeline is constructed by the shell (cmd.exe) and file descriptors
are given to the programs. There is nothing any of the programs can do
here. In fact when using a pipeline in this way, the next program in
the line should be able to handle the output of the former which means
it will expect valid output.

> So far:
> ( gpg.exe -d somefile.gpg | jq.exe ) | less

You are using a Cygwin version of the standard shell here? In this case
make sure that jq.exe gets its EPIPE from the failed gpg.exe.

You may consider to use gpgme-json as a higher level API to gpg. But of
course it does not work the usual way in a pipe.

Salam-Shalom,

Werner

--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein

Re: How can I have gpg pause to receive its passphrase, before it starts outputing decrypt to stdout? [ In reply to ]

gnupg-users at gnupg

Mar 18, 2024, 3:10 PM

Post #3 of 7 (93 views)

Permalink

> However if you known the passphrase, you can pass it to gpg directly using --passphrase-file and --pinentry-mode=loopback.
I figured, but am trying to avoid having the passphrase land on disk at all.

> Due to the way a pipe works there is not much you can do here.
Except (I would hope?) if gpg were to make sure nothing is written to
stdout until after passphrase was completely acquired, before
decrypting and writing the decrypt to sdtout, I don't expect less will
have cleared the screen to that point. [.Less waits to clear screen,
etc., until after it receives something / anything at stdin, IIRC.]

> You are using a Cygwin version of the standard shell here?
No, standard DOS prompt (Win 10). Just that cygwin is along the path.
(It's win jq, in this case, however.) [cygwin less.exe being quieter
and more functional than dos' more.exe.]

> make sure that jq.exe gets its EPIPE from the failed gpg.exe.
(1) EPIPE? As in '2|' - that's a thing (in 'Win 10' dos)?
(2) gpg has not failed here. I guess the issue is also gpg displaying
prompt, also confusing less.

I will have to try 'gpg.exe -d somefile.gpg < con: 2> nul: | jq.exe |
less', or something like.

Curious that '( gpg.exe -d somefile.gpg | jq.exe ) | less' displays
sufficiently well - I'm guessing I'm just getting lucky with
(sub-shell?) delays, giving things time to display.

On Mon, Mar 18, 2024 at 9:58?AM Werner Koch via Gnupg-users
<gnupg-users_at_gnupg.org_omcujl92@duck.com> wrote:
>
> On Sat, 16 Mar 2024 21:26, B.S. said:
> > ... (Windows 10) [DOS] cmd ... [*NOT* powershell]
> > ... cygwin gpg ...
>
> [.Do not use a Cygwin build of gpg - this is not supported. Use a
> standard build for WIndows.]
>
> > How can I have gpg pause to receive its passphrase, before it starts
> > outputing decrypt to stdout?
>
> Due to the way a pipe works there is not much you can do here. Except
> for having some kind buffering tool in between. Howeverm if you known
> the passphrase, you can pass it to gpg directly using --passphrase-file
> and --pinentry-mode=loopback.
>
> > So if gpg could finish getting its passphrase from 'readline' before
> > opening stdout (that less then sees to clear the screen and open its
>
> The pipeline is constructed by the shell (cmd.exe) and file descriptors
> are given to the programs. There is nothing any of the programs can do
> here. In fact when using a pipeline in this way, the next program in
> the line should be able to handle the output of the former which means
> it will expect valid output.
>
> > So far:
> > ( gpg.exe -d somefile.gpg | jq.exe ) | less
>
> You are using a Cygwin version of the standard shell here? In this case
> make sure that jq.exe gets its EPIPE from the failed gpg.exe.
>
> You may consider to use gpgme-json as a higher level API to gpg. But of
> course it does not work the usual way in a pipe.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How can I have gpg pause to receive its passphrase, before it starts outputing decrypt to stdout? [ In reply to ]

gnupg-users at gnupg

Mar 18, 2024, 4:01 PM

Post #4 of 7 (93 views)

Permalink

> However if you known the passphrase, you can pass it to gpg directly using --passphrase-file and --pinentry-mode=loopback.
I figured, but am trying to avoid having the passphrase land on disk at all.

> Due to the way a pipe works there is not much you can do here.
Except (I would hope?) if gpg were to make sure nothing is written to
stdout until after passphrase was completely acquired, before
decrypting and writing the decrypt to sdtout, I don't expect less will
have cleared the screen to that point. [.Less waits to clear screen,
etc., until after it receives something / anything at stdin. (?)]

> You are using a Cygwin version of the standard shell here?
No, standard DOS prompt (Win 10). Just that cygwin is along the path.
(It's win jq, in this case, however.) [cygwin less.exe being quieter
and more functional than dos' more.exe.]

> make sure that jq.exe gets its EPIPE from the failed gpg.exe.
(1) EPIPE? As in '2|' - that's a thing (in 'Win 10' dos)?
(2) gpg has not failed here. I guess the issue is also gpg displaying
prompt, also confusing less.

I will have to try 'gpg.exe -d somefile.gpg < con: 2> nul: | jq.exe |
less', or something like.

Curious that '( gpg.exe -d somefile.gpg | jq.exe ) | less' displays
sufficiently well - I'm guessing I'm just getting lucky with
(sub-shell?) delays, giving things time to display.

On Mon, Mar 18, 2024 at 9:55?AM Werner Koch <wk@gnupg.org> wrote:
>
> On Sat, 16 Mar 2024 21:26, B.S. said:
> > ... (Windows 10) [DOS] cmd ... [*NOT* powershell]
> > ... cygwin gpg ...
>
> [.Do not use a Cygwin build of gpg - this is not supported. Use a
> standard build for WIndows.]
>
> > How can I have gpg pause to receive its passphrase, before it starts
> > outputing decrypt to stdout?
>
> Due to the way a pipe works there is not much you can do here. Except
> for having some kind buffering tool in between. Howeverm if you known
> the passphrase, you can pass it to gpg directly using --passphrase-file
> and --pinentry-mode=loopback.
>
> > So if gpg could finish getting its passphrase from 'readline' before
> > opening stdout (that less then sees to clear the screen and open its
>
> The pipeline is constructed by the shell (cmd.exe) and file descriptors
> are given to the programs. There is nothing any of the programs can do
> here. In fact when using a pipeline in this way, the next program in
> the line should be able to handle the output of the former which means
> it will expect valid output.
>
> > So far:
> > ( gpg.exe -d somefile.gpg | jq.exe ) | less
>
> You are using a Cygwin version of the standard shell here? In this case
> make sure that jq.exe gets its EPIPE from the failed gpg.exe.
>
> You may consider to use gpgme-json as a higher level API to gpg. But of
> course it does not work the usual way in a pipe.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How can I have gpg pause to receive its passphrase, before it starts outputing decrypt to stdout? [ In reply to ]

gnupg-users at gnupg

Mar 18, 2024, 5:23 PM

Post #5 of 7 (92 views)

Permalink

Bee via Gnupg-users wrote:
>> However if you known the passphrase, you can pass it to gpg directly using --passphrase-file and --pinentry-mode=loopback.
>>
> I figured, but am trying to avoid having the passphrase land on disk at all.
>

Could you set up a RAM disk for this? (I think Windows still has those,
but it has been a few years since I have used Windows any significant
amount.)

-- Jacob

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How can I have gpg pause to receive its passphrase, before it starts outputing decrypt to stdout? [ In reply to ]

gnupg-users at gnupg

Mar 21, 2024, 12:45 AM

Post #6 of 7 (85 views)

Permalink

On 2024-03-19 00:01, Bee via Gnupg-users wrote:
>> However if you known the passphrase, you can pass it to gpg directly using --passphrase-file and --pinentry-mode=loopback.
> I figured, but am trying to avoid having the passphrase land on disk at all.
>
>> Due to the way a pipe works there is not much you can do here.
> Except (I would hope?) if gpg were to make sure nothing is written to
> stdout until after passphrase was completely acquired, before
> decrypting and writing the decrypt to sdtout, I don't expect less will
> have cleared the screen to that point. [.Less waits to clear screen,
> etc., until after it receives something / anything at stdin. (?)]
>
>> You are using a Cygwin version of the standard shell here?
> No, standard DOS prompt (Win 10). Just that cygwin is along the path.
> (It's win jq, in this case, however.) [.cygwin less.exe being quieter
> and more functional than dos' more.exe.]
>
>> make sure that jq.exe gets its EPIPE from the failed gpg.exe.
> (1) EPIPE? As in '2|' - that's a thing (in 'Win 10' dos)?
EPIPE is the C/POSIX error code a program receives when the pipe it
reads from ends. In this case the ordinary stdout pipe. However the
Microsoft CMD.EXE supports a surprisingly large subset of Unixshell
options, but sometimes with slightly different syntax. Some but not
all ofthis is documented in the builtin help output such as cmd /?
and set /? etc.

However in this case the problem is that the shell, whichever you use,
will start the redirection to jq immediately, because the shell knows
nothing about gpg.exe or what part of its user interface to treat
specially. Using a "pinentry-program" helper that prompts via the
Win32/X11 GUI is the official solution for such cases.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How can I have gpg pause to receive its passphrase, before it starts outputing decrypt to stdout? [ In reply to ]

gnupg-users at gnupg

Mar 23, 2024, 6:47 PM

Post #7 of 7 (76 views)

Permalink

On Mon, Mar 18, 2024 at 9:58?AM Werner Koch via Gnupg-users
<gnupg-users_at_gnupg.org_omcujl92@duck.com> wrote:
>
> On Sat, 16 Mar 2024 21:26, B.S. said:
> > ... (Windows 10) [DOS] cmd ... [*NOT* powershell]
> > ... cygwin gpg ...
>
> [.Do not use a Cygwin build of gpg - this is not supported. Use a
> standard build for WIndows.]

Thanks kindly. Found https://dev.gnupg.org/T4059 {Jul 8 2018} from
Werner, to explain the point:

> Note that Cygwin is not a supported platform. Seems that the exec functions don't work on this 64 bit variant.
and
> ... it seems that GnuPG can be used on 32 bit Cygwin....

Very Good to know.

And ... 32-bit cygwin is no longer maintained / supported, as of
version 3.3.6, around 11/11/2022, per
https://cygwin.com/pipermail/cygwin-announce/2022-November/010810.html

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Mailing List Archive

Mailing List Archive

Attached Files: