sending automated GPG signed mails from batch job
Nicolas George
george at nsup.org
Tue May 21 18:05:42 UTC 2024
Matthias Apitz (12024-05-21):
> I do use GnuPG based on OpenPGP SIM cards even in my Linux telephone
> (Pusim L5) for crypting files, ~350 passwords (password-store) and SSH
> connections (the RSA secret is on the OpenPGP card). All works fine and
> gives access to the secrets by entering a 6 digit PIN:
For interactive basic use, GPG is fine.
> The problem with any automation, anyway if with GnuPG or not, is how to
> enter the passphrase or PIN to get access to the private key.
For automation, the key must be unencrypted during the operation. Or the
process must have the pass phrase available, which is equivalent.
The problem is the agent. GPG now insists to handle all private key
operations through an agent started automatically in the background. The
control over the behavior of the agent is very limited. For interactive
use it is fine, you just let your session manage it. But for automation
and tests, you need control.
Also, GPG has its system of trust. For interactive use it is still fine.
But for automation, we need to control which key we use without some
stupid software deciding we are not allowed because it is not trusted.
Agents and trust are high-level issues. Proper design requires low-level
tools that do their job and no more, “Keep It Simple Stupid” and
high-level tools on top of it. GPG does not have the low-level tools,
that makes it unsuitable for automation.
With sq, no such problem, the keys are in pairs of files, it uses the
ones you tell it to use.
Regards,
--
Nicolas George
More information about the Mutt-users
mailing list