GnuPG not working when in BATCH

FWIW,  I founf that just trying to use GPG in batch is the problem:

$ SET PROCESS/PARSE_STYLE=EXTENDED
$ @SYS$COMMON:[GnuPG]GnuPG_SETUP.COM
$ GPG   == "$SYS$COMMON:[GNUPG.GNUPG-1_4_11A_VMS.G10.ALPHAL]GPG.EXE
$ GPGV  == "$SYS$COMMON:[GNUPG.GNUPG-1_4_11A_VMS.G10.ALPHAL]GPGV.EXE
$ gpg -?

Infinite loop! 

$ gpg --version
gpg (GnuPG) 1.4.11a
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Are you running your the HP GnuPG port, Mr Schweda's port, your own port, or some other port?  

If you're not running Mr Schweda's port, start there.  Failing that, maybe try your own port?

The GnuPG on the HP site.

I stand corrected:

$SYS$COMMON:[GNUPG.GNUPG-1_4_11A_VMS.G10.ALPHAL]GPG.EXE

-------------------------------------------------^^^^^^^^

I looked at the HP site and that version is 1.4.7.

Definitely  Steven M. Schweda's build... as per SYS$COMMON:[GNUPG.GNUPG-1_4_11A_VMS.VMS]VMS_NOTES.TXT...

   When reporting problems, especially build problems, with GnuPG for
VMS, it is often useful to reveal precise compiler, run-time library,
and VMS version information.  The program DECC_VER.C (included in the
kit) is intended to make that easier.

------------------------------------------------------------------------

   Steven M. Schweda               sms@antinode.info
   382 South Warwick Street        (+1) 651-699-9818
   Saint Paul  MN  55105-2547

>    When reporting problems, [...]

   While it's always gratifying to see one's advice quoted, it can be
even more satisfying when it's followed.

> However, in BATCH, the 'gpg' command seem to go into an infinite loop.

   Apparently something does.  I'd never tried:
      pipe gpg --passphrase-fd 0 ... < pp.txt
but it does seem to loop.  What did work for me were things like:
       pp_symb = "Pass Phrase"
       pipe write sys$output pp_symb | gpg --passphrase-fd 0 ...
and:
       pipe type pp.txt | gpg --passphrase-fd 0 ...

Both seem satisfactory in and out of batch mode.

   When I get bored enough, I might look into what's happening in the
"pipe gpg --passphrase-fd 0 ... < file" case.  I should be able to add a
usage note on the Web page, if nothing else.

Brian,

   Maybe instead of using PIPE input redirection, try DEFINE/USER. For example:

$ DEFINE/USER SYS$INPUT PASSPHRASE.TXT

$ gpg ....

or possibly:

$ DEFINE/USER SYS$COMMAND PASSPHRASE.TXT

$ gpg ....

With Unix utilities I've sometimes found it necessary to redirect SYS$COMMAND when running in batch mode:

$ DEFINE/USER SYS$COMMAND NL:

$ PIPE gpg... < PASSPHRASE.TXT

Never quite understood why. It may have something to do with the assumptions about input streams and the differences between Unix and VMS.

Brian,  

this works for us.

$ pipe ty <Passphrase_File> | GPG --output 'Decr_File' --decrypt 'Encr_File'

Dave.

> this works for us.
>
> $ pipe ty <Passphrase_File> | GPG --output 'Decr_File' --decrypt 'Encr_File'

   Really?  Without the "--passphrase-fd 0"?  Around here
(interactively):

alp $ pipe type pp.txt | gpg -d -o bat6.out login.com-gpg

You need a passphrase to unlock the secret key for
user: "Steven M. Schweda (Antinode 2011) <sms@antinode.info>"
2048-bit RSA key, ID EFCC5412, created 2011-09-01 (main key ID C6803C31)

Enter passphrase:
[...]

Same for an interactive DCL procedure.  In a batch job:

alp $ type [--]decr_bat6.log
$ Set NoOn
$ VERIFY = F$VERIFY(F$TRNLNM("SYLOGIN_VERIFY"))
gpg: fatal: error disabling terminal echo: illegal i/o function code
secmem usage: 1664/1824 bytes in 4/5 blocks of pool 1824/32768
  SMS          job terminated at  6-SEP-2011 10:04:46.99

  Accounting information:
[...]

alp $ gpg --version
gpg (GnuPG) 1.4.11b
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /SYS$LOGIN/gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128,
        CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

Yes Steven,

This is the code being executed (with redactions.)

$!

$!         Step 5: De-crypt the file.

$!

$     PMDF Mail /Subject="File ''Encr_File' retrieved from XXXX."   NL:    "EON_Admin"

$     Write sys$output ">>> ''f$time()' Encrypted File Retrieved from XXXX"

$     Open/Append Hist_File LOGS_OB:INVRETR.HIST

$     Write Hist_file ">>> ''f$time()' ''Encr_File' retrieved from XXX..."

$     Close Hist_File

$!

$     Write sys$output ">>> Decrypt the file..."

$     Write sys$output ">>>    ''Encr_File' ==> ''Decr_File'"

$!

$     pipe ty Userroot:[EOD.GNUPG]EON_PP.Txt | GPG --output  'Decr_File'  --decrypt  'Encr_File'

$     Stat = $status

$!

$    Dir/date=(C,M)/Size=all 'FileName'.*

and this is the log output.

>>> 2-SEP-2011 07:02:59.42 Encrypted File Retrieved from XXXX

>>> Decrypt the file...

>>>    TSS001_INV_20110901_16550_ZIP.PGP ==> TSS001_INV_20110901_16550_ZIP.ZIP

gpg: Please note that you don't have secure memory on this system

gpg: WARNING: program may create a core file!

Enter passphrase:

gpg: encrypted with 2048-bit ELG-E key, ID AB95A97F, created 2008-03-11

"Xxxxxx End Night (Testing only) <END_NIGHT@Xxxxxxx.com>"

gpg: Signature made Fri Sep 2 05:58:07 2011 EDT using DSA key ID C2DC5ED6

gpg: Can't check signature: public key not found

Directory RRD_ROOT:[000000]

TSS001_INV_20110901_16550_ZIP.PGP;1

                                         382978/383031 2-SEP-2011 06:36:28.92

TSS001_INV_20110901_16550_ZIP.ZIP;1

                                         383328/383396 2-SEP-2011 07:03:00.14

Total of 2 files, 766306/766427 blocks.

This is the version I/we are using.

$  gpg --version

gpg: Please note that you don't have secure memory on this system

gpg (GnuPG) 1.4.7

Copyright (C) 2006 Free Software Foundation, Inc.

This program comes with ABSOLUTELY NO WARRANTY.

This is free software, and you are welcome to redistribute it

under certain conditions. See the file COPYING for details.

Home: /SYS$LOGIN/gnupg

Supported algorithms:

Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA

Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH

Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224

Compression: Uncompressed, ZIP, ZLIB

I apologize if this is not supposed to work.

Dave

> $  gpg --version

> gpg: Please note that you don't have secure memory on this system

> gpg (GnuPG) 1.4.7

> [...]

   Ah.  That looks like HP's kit, which could account for many things.
I'd need to do some research, but it may be looking at stdin/SYS$INPUT
instead of SYS$COMMAND.

   There are reasons for a complete/useful problem (or other behavior)
report to include versions and other environment info.

> I apologize if this is not supposed to work.

   Accepted.  (Blame HP, not me.  I'm moderately confident that GnuPG is
not supposed to accept a pass phrase from stdin without a special
dispensation ("--passphrase-fd 0").)

My process has been in place (in our Production Environment) for 3-4 years without any issues.      Have never felt the need to upgrade (and possibly break) a process which was/is working.

However, I realize that time moves on for everyone else, and the old stuff starts to look strange.

Dave.

$ PIPE TYPE 'PASSPHRASE_FILE' | gpg --passphrase-fd 0 ...

Works, whereas:

$ PIPE gpg --passphrase-fd 0 ... < 'PASSPHRASE_FILE'

does not.

The later DOES work INTERACTIVEly and in SPAWNed subprocesses.

For now, this will get the client rolling but it would be nice to know why --passphrase-fd 0 ... < 'PASSPHRASE_FILE' doesn't work in BATCH.

The last report was incorrect.  The BATCH job doesn't loop but it also doesn't decrypt the file.

Going back to the  < until this can be sorted out.

---

@The Brit wrote:

Brian,  

 

this works for us.

 

$ pipe ty <Passphrase_File> | GPG --output 'Decr_File' --decrypt 'Encr_File'

 

Dave.

---

That doesn't evem make sense.  Why would you direct from the file into TYPE and output to the pipe (with the | doesn't make sense) when a simple TYPE would suffice?

> The last report was incorrect.  The BATCH job doesn't loop but it also
> doesn't decrypt the file.

   As I said, it works for me.  And has for a while:

      http://h30499.www3.hp.com/t5/x/x/td-p/5097162

I'd expect the batch job log file to offer some info on what went awry.

> Have never felt the need to upgrade [...]

   I'm not arguing.  I find the key server stuff in mine handy from time
to time, and, while I use this stuff very seldom, I've run into a bunch
of bugs in the HP edition.  For example, if you're looking for my public
key (the one whose pass phrase I can remember, any way):

alp $ gpg --search-keys antinode 2011 schweda
gpg: searching for "antinode 2011 schweda" from hkp server keys.gnupg.net
(1)     Steven M. Schweda (Antinode 2011) <sms@antinode.info>
          2048 bit RSA key C6803C31, created: 2011-09-01
Keys 1-1 of 1 for "antinode 2011 schweda".  Enter number(s), N)ext, or Q)uit > q

And, of course, there are the security/bug fixes in the main code
between versions 1.4.7 and 1.4.11.

   And I never see this:

> gpg: Please note that you don't have secure memory on this system

And I can build the latest stuff on VAX (except for a couple of the hash
algorithms).  And ..., but you get the idea.

I'm not sure I understand your reply Brian.     A couple of post ago you wrote

> $  PIPE TYPE 'PASSPHRASE_FILE'| gpg --passphrase-fd 0 ...

> Works,

and I assume here that "PASSPHRASE_FILE" is just a symbol containing the full path to the file containing the passphrase.   Now bear in mind I am using a different, much older version than you, how is this different from what I wrote??

i.e.    $ Pipe Ty <passphrase_file> | gpg --output ...

where here "<passphrase_file>" is the path to the file containing the passphrase.      

Note:    the syntax  "--passphrase-fd 0" does not exist in my version, (or at lease it wasnt required).       My original response was made before the versions were discussed.

Finally, I am sorry that this doesn't make any sense to you, however it does apparently make sense to my version of GnuPG and OpenVMS.      I'm afraid that they are the guys that matter in this case.

Dave.

   I'd guess that the "<" and ">" in "<Passphrase_File>" are what caused
the confusion.  This stuff gets ambiguous when pipes are involved, and
"<" and ">" are used for multiple purposes..  Especially when one person
is using them in one way, while the other person is using them in
another way.

>    Ah.  That looks like HP's kit, which could account for many things.
> I'd need to do some research, but it may be looking at stdin/SYS$INPUT
> instead of SYS$COMMAND.

   For the curious but lazy, yes, HP's GnuPG 1.4.7 reads a passphrase
from SYS$INPUT.  My GnuPG for VMS uses ctermid() to identify the
controlling terminal, just as GnuPG normally does on a
UNIX(-like) system.  According to the CRTL HELP, on VMS, ctermid()
returns SYS$COMMAND.  See [.util]ttyio.c:tty_get_ttyname(), and HP's
[.vms]vms_config.h:HAVE_CTERMID (not defined) v. my
[.vms]config.h_vms:HAVE_CTERMID (defined).