Operating System - OpenVMS
1748163 Members
3864 Online
108758 Solutions
New Discussion

Re: GnuPG not working when in BATCH

 
Steven Schweda
Honored Contributor

Re: GnuPG not working when in BATCH

> this works for us.
>
> $ pipe ty <Passphrase_File> | GPG --output 'Decr_File' --decrypt 'Encr_File'

   Really?  Without the "--passphrase-fd 0"?  Around here
(interactively):

alp $ pipe type pp.txt | gpg -d -o bat6.out login.com-gpg

You need a passphrase to unlock the secret key for
user: "Steven M. Schweda (Antinode 2011) <sms@antinode.info>"
2048-bit RSA key, ID EFCC5412, created 2011-09-01 (main key ID C6803C31)

Enter passphrase:
[...]

Same for an interactive DCL procedure.  In a batch job:

alp $ type [--]decr_bat6.log
$ Set NoOn
$ VERIFY = F$VERIFY(F$TRNLNM("SYLOGIN_VERIFY"))
gpg: fatal: error disabling terminal echo: illegal i/o function code
secmem usage: 1664/1824 bytes in 4/5 blocks of pool 1824/32768
  SMS          job terminated at  6-SEP-2011 10:04:46.99

  Accounting information:
[...]

alp $ gpg --version
gpg (GnuPG) 1.4.11b
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /SYS$LOGIN/gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128,
        CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

The Brit
Honored Contributor

Re: GnuPG not working when in BATCH

Yes Steven,

 

This is the code being executed (with redactions.)

 

$!

$!         Step 5: De-crypt the file.

$!

$     PMDF Mail /Subject="File ''Encr_File' retrieved from XXXX."   NL:    "EON_Admin"

$     Write sys$output ">>> ''f$time()' Encrypted File Retrieved from XXXX"

$     Open/Append Hist_File LOGS_OB:INVRETR.HIST

$     Write Hist_file ">>> ''f$time()' ''Encr_File' retrieved from XXX..."

$     Close Hist_File

$!

$     Write sys$output ">>> Decrypt the file..."

$     Write sys$output ">>>    ''Encr_File' ==> ''Decr_File'"

$!

$     pipe ty Userroot:[EOD.GNUPG]EON_PP.Txt | GPG --output  'Decr_File'  --decrypt  'Encr_File'

$     Stat = $status

$!

$    Dir/date=(C,M)/Size=all 'FileName'.*

 

and this is the log output.

 

>>> 2-SEP-2011 07:02:59.42 Encrypted File Retrieved from XXXX

>>> Decrypt the file...

>>>    TSS001_INV_20110901_16550_ZIP.PGP ==> TSS001_INV_20110901_16550_ZIP.ZIP

 

gpg: Please note that you don't have secure memory on this system

gpg: WARNING: program may create a core file!

Enter passphrase:

gpg: encrypted with 2048-bit ELG-E key, ID AB95A97F, created 2008-03-11

"Xxxxxx End Night (Testing only) <END_NIGHT@Xxxxxxx.com>"

gpg: Signature made Fri Sep 2 05:58:07 2011 EDT using DSA key ID C2DC5ED6

gpg: Can't check signature: public key not found

 

Directory RRD_ROOT:[000000]

 

TSS001_INV_20110901_16550_ZIP.PGP;1

                                         382978/383031 2-SEP-2011 06:36:28.92

TSS001_INV_20110901_16550_ZIP.ZIP;1

                                         383328/383396 2-SEP-2011 07:03:00.14

 

Total of 2 files, 766306/766427 blocks.

 

This is the version I/we are using.

 

$  gpg --version

gpg: Please note that you don't have secure memory on this system

gpg (GnuPG) 1.4.7

Copyright (C) 2006 Free Software Foundation, Inc.

This program comes with ABSOLUTELY NO WARRANTY.

This is free software, and you are welcome to redistribute it

under certain conditions. See the file COPYING for details.

 

Home: /SYS$LOGIN/gnupg

Supported algorithms:

Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA

Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH

Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224

Compression: Uncompressed, ZIP, ZLIB

 

I apologize if this is not supposed to work.

 

Dave

Steven Schweda
Honored Contributor

Re: GnuPG not working when in BATCH

> $  gpg --version

> gpg: Please note that you don't have secure memory on this system

> gpg (GnuPG) 1.4.7

> [...]


   Ah.  That looks like HP's kit, which could account for many things.
I'd need to do some research, but it may be looking at stdin/SYS$INPUT
instead of SYS$COMMAND.

   There are reasons for a complete/useful problem (or other behavior)
report to include versions and other environment info.

> I apologize if this is not supposed to work.

   Accepted.  (Blame HP, not me.  I'm moderately confident that GnuPG is
not supposed to accept a pass phrase from stdin without a special
dispensation ("--passphrase-fd 0").)

The Brit
Honored Contributor

Re: GnuPG not working when in BATCH

My process has been in place (in our Production Environment) for 3-4 years without any issues.      Have never felt the need to upgrade (and possibly break) a process which was/is working.

 

However, I realize that time moves on for everyone else, and the old stuff starts to look strange.

 

Dave.

Brian  Schenkenberger
Frequent Advisor

Re: GnuPG not working when in BATCH

$ PIPE TYPE 'PASSPHRASE_FILE' | gpg --passphrase-fd 0 ...

 

Works, whereas:

 

$ PIPE gpg --passphrase-fd 0 ... < 'PASSPHRASE_FILE'

 

does not.

 

The later DOES work INTERACTIVEly and in SPAWNed subprocesses.

 

For now, this will get the client rolling but it would be nice to know why --passphrase-fd 0 ... < 'PASSPHRASE_FILE' doesn't work in BATCH.

Brian  Schenkenberger
Frequent Advisor

Re: GnuPG not working when in BATCH

The last report was incorrect.  The BATCH job doesn't loop but it also doesn't decrypt the file.

 

Going back to the  < until this can be sorted out.


Brian  Schenkenberger
Frequent Advisor

Re: GnuPG not working when in BATCH


@The Brit wrote:

Brian,  

 

this works for us.

 

$ pipe ty <Passphrase_File> | GPG --output 'Decr_File' --decrypt 'Encr_File'

 

Dave.


That doesn't evem make sense.  Why would you direct from the file into TYPE and output to the pipe (with the | doesn't make sense) when a simple TYPE would suffice?

 

Steven Schweda
Honored Contributor

Re: GnuPG not working when in BATCH

> The last report was incorrect.  The BATCH job doesn't loop but it also
> doesn't decrypt the file.

   As I said, it works for me.  And has for a while:

      http://h30499.www3.hp.com/t5/x/x/td-p/5097162

 

I'd expect the batch job log file to offer some info on what went awry.

 

 

> Have never felt the need to upgrade [...]

   I'm not arguing.  I find the key server stuff in mine handy from time
to time, and, while I use this stuff very seldom, I've run into a bunch
of bugs in the HP edition.  For example, if you're looking for my public
key (the one whose pass phrase I can remember, any way):

alp $ gpg --search-keys antinode 2011 schweda
gpg: searching for "antinode 2011 schweda" from hkp server keys.gnupg.net
(1)     Steven M. Schweda (Antinode 2011) <sms@antinode.info>
          2048 bit RSA key C6803C31, created: 2011-09-01
Keys 1-1 of 1 for "antinode 2011 schweda".  Enter number(s), N)ext, or Q)uit > q

And, of course, there are the security/bug fixes in the main code
between versions 1.4.7 and 1.4.11.

 

   And I never see this:

 

> gpg: Please note that you don't have secure memory on this system

 

And I can build the latest stuff on VAX (except for a couple of the hash
algorithms).  And ..., but you get the idea.

The Brit
Honored Contributor

Re: GnuPG not working when in BATCH

I'm not sure I understand your reply Brian.     A couple of post ago you wrote

 

> $  PIPE TYPE 'PASSPHRASE_FILE'| gpg --passphrase-fd 0 ...

 

> Works,

 

and I assume here that "PASSPHRASE_FILE" is just a symbol containing the full path to the file containing the passphrase.   Now bear in mind I am using a different, much older version than you, how is this different from what I wrote??

 

i.e.    $ Pipe Ty <passphrase_file> | gpg --output ...

 

where here "<passphrase_file>" is the path to the file containing the passphrase.      

 

Note:    the syntax  "--passphrase-fd 0" does not exist in my version, (or at lease it wasnt required).       My original response was made before the versions were discussed.

 

Finally, I am sorry that this doesn't make any sense to you, however it does apparently make sense to my version of GnuPG and OpenVMS.      I'm afraid that they are the guys that matter in this case.

 

Dave.

 

 

Steven Schweda
Honored Contributor

Re: GnuPG not working when in BATCH

   I'd guess that the "<" and ">" in "<Passphrase_File>" are what caused
the confusion.  This stuff gets ambiguous when pipes are involved, and
"<" and ">" are used for multiple purposes..  Especially when one person
is using them in one way, while the other person is using them in
another way.