bash – How to supply both passphrase and string to encrypt to GnuPG using command line?

Considering using echo -n "passphrase" | gpg --batch --passphrase-fd 0 ... inside of Bash script (which should mitigate leaking passphrase to process list given echo is a built-in command, right?).

I need to know passphrase to create shares of it using Shamir Secret Sharing later in the script.

How can I supply string to encrypt to GnuPG? I usually use stdin for that.

Edit: following script appears to achieve what I want, but is it secure*?

*Passphrase and string are not leaked to other users nor written to file system and passphrase is cleared from memory once script exits

All feedback is welcomed as I might be naively considering an insecure approach.

#! /bin/bash

printf "%sn" "Please type passphrase and press enter "

read -s passphrase

echo -n "bar" | gpg --batch --passphrase-fd 3 --s2k-mode 3 --s2k-count 65011712 --s2k-digest-algo sha512 --cipher-algo AES256 --symmetric --armor 3<<<"$passphrase"

According to ps ax, above script doesn’t leak passphrase.

gnupg – I plugged in a yubikey containing pgp subkeys, now secret key stubs are present

Procedure:

  • Create keypair on a live distro, upload public key, move secret subkeys to Yubikey
  • Reboot into normal disto
  • Plug in yubikey, and then remove it
  • Run gpg --recv-keys HANDLE to receive public key
  • Run gpg --list-secret-keys.

The result is that the secret key stubs show up in the secret key list. Running gpg --delete-secret-keys HANDLE errors, because the keys are not present (only the stubs are present).

The secret key has 100% never been on this machine, so I’m not clear on why the stubs are here. Presumably they were automatically imported from the yubikey, but it seems odd that I can’t delete them. Is this expected behaviour?

gnupg – Unable to verify the SHA256 checksum for Focal (20.04) LTS minimal cloud image

I’m attempting to follow the article here:
https://ubuntu.com/tutorials/how-to-verify-ubuntu#5-verify-the-sha256-checksum

to verify the checksum provided with the 20.04 minimal cloud image here:
http://cloud-images.ubuntu.com/minimal/releases/focal/release/

I’m getting an error from the first command:
$ gpg –keyid-format long –verify SHA256SUMS.gpg SHA256SUMS

gpg: not a detached signature

I don’t think the checksum is being verified because of the error and I’m not having any luck finding a solution elsewhere. I have deleted and re-downloaded the files a couple times, so it’s not an issue with that. Has anyone seen this before? Am I missing something?

gnupg – Instruct gpg-agent to use specific scdaemon – Starting scdaemon with debugging enabled

I’m trying to debug a smartcard with the OpenPGP applet using gpg and scdaemon. In order to enable debugging for scdaemon, I created

~/.gnupg/gpgagent.conf:

disable-scdaemon

and ran:

/usr/lib/gnupg/scdaemon --daemon --debug-level advanced --log-file scdaemon.log

But any attempt at gpg --card-status gives me

gpg: error getting version from 'scdaemon': Not supported
gpg: OpenPGP card not available: Not supported

so gpgagent cannot find my daemon. Is there a different way to enable debugging for scdaemon? I am using Ubuntu 20.04 LTS, gpg (GnuPG) 2.2.20, & scdaemon (GnuPG) 2.2.20.

GnuPG: How to create ECDSA signature?

https://tools.ietf.org/html/rfc6637 defines ECDSA for OpenPGP and https://wiki.gnupg.org/ECC lists elliptic curve support in GnuPG since version 2.1

I have version 2.2.25 and it lists ECDSA as supported algorithm:

$ gpg --version
gpg (GnuPG) 2.2.25-unknown
libgcrypt 1.8.7
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /c/Users/Matthias/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

However, if I generate a key, I’m not presented with that option:

$ gpg --full-generate-key
gpg (GnuPG) 2.2.25-unknown; Copyright (C) 2020 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
  (14) Existing key from card
Your selection?

How do I generate an ECDSA signature using GPG?

gnupg – pinentry-mac completely disables prompt for GPG passphrase

This is weird. I am using pass and pinentry-mac to unlock my passwords. My gpg-agent.conf uses pinentry-mac as its pinentry-program.

I’m not sure if I updated some dependency recently but suddenly decrypting passwords is now possible without asking for passphrase which I find as a serious problem. This is not a problem with pass as if I try using gpg directly to decrypt my encrypted files directly in terminal session, it’s the same.

If I disable pinentry-mac then it starts working and I’m asked to put my passphrase every time. Any idea what can be the cause? I have tried restarting / killing gpg-agent and logging out of my user account (even restarting the machine) but result is the same.

pgp – Understanding GnuPG –export-options backup

The GnuPG documentation lists an option called --export-options parameters. One of the possible parameters for this option is backup (aliased export-backup).

The description for --export-options backup states:

Export for use as a backup. The exported data includes all data which is needed to restore the key or keys later with GnuPG. The format is basically the OpenPGP format but enhanced with GnuPG specific data. All other contradicting options are overridden.

What data is included in “all data which is needed to restore the key or keys later?”

When the documentation says, “is basically the OpenPGP format but enhanced with GnuPG specific data,” what enhancing data is it talking about?

In stating “other contradicting options are overridden,” what contradicting options are being referred to?

gnupg – Retrieving GPG Private Sub-Key ID

I’ve created a GPG keyring as follows:

pub   rsa4096 2020-09-22 (C)
      CAF532F48781F8A0973317A41F2912156496A89A
uid           (ultimate) Ryan McClue <user@email.com>
sub   rsa4096 2020-09-22 (S) (expires: 2021-09-22)
sub   rsa4096 2020-09-22 (E) (expires: 2021-09-22)
sub   rsa4096 2020-09-22 (A) (expires: 2021-09-22)

I export the relevent keys and copy to an encrypted USB:

gpg --armor --export-secret-subkeys $KEY_ID > private-sub-keys.asc

Now, on a new machine I import these keys and assign ultimate trust:

gpg --import private-sub-keys.asc
gpg --edit-key $KEY_ID

Now as I understand it, GPG stores the public and private keys in the same file (roughly speaking). So the commands gpg --list-keys and gpg --list-secret-keys output only the public key id’s. In wanting to setup git to sign my commits using GPG, i.e. git config user.signingkey how do I get access to my private sub key’s id that is responsible for signing?