gpg2 中的 gpg 代理

发布于 2024-11-28 20:12:27 字数 663 浏览 1 评论 0原文

我正在尝试确保一些使用 GPG（当前版本为 1.4.10）来执行对称加密/解密过程的自定义软件。我当前的加密命令如下所示：

gpg --batch --no-tty --no-use-agent --symmetric --cipher-algo AES256 --passphrase "foobar" /path/to/file_to_be_encrypted

如果没有 --no-use-agent 选项，我会收到臭名昭著的错误消息

gpg-agent 在此会话中不可用

我担心迁移到 gpg2，因为根据文档，gpg-agent始终是必需的，而--no-use-agent只是一个虚拟选项。我的 gpg 调用通过守护进程在后台发生，因此这很大程度上是一个无代理场景（加上它是对称的，而且我根本不需要代理）。

这种详细程度的文档很少，所以我正在寻找用户体验。 gpg2 是否将代理更紧密地结合在一起，以便我不必担心它的可用性？

原文

I'm attempting to futureproof some custom software that utilizes GPG (currently v 1.4.10) to perform symmetric encryption/decryption processes. My current encryption command looks like this:

gpg --batch --no-tty --no-use-agent --symmetric --cipher-algo AES256 --passphrase "foobar" /path/to/file_to_be_encrypted

Without the --no-use-agent option, I get the infamous error message

gpg-agent is not available in this session

I'm concerned about a move to gpg2 because, according to the documentation, the gpg-agent is always required, and --no-use-agent is simply a dummy option. My gpg calls occur in the background via a daemon process, so this is very much a no-agent scenario (plus the fact that it's symmetric, and I have no need of the agent at all).

Documentation at this level of detail is sparse, so I'm looking for user experience. Does gpg2 incorporate the agent more tightly, so that I don't have to worry about its availability?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

深居我梦 2024-12-05 20:12:27

调用gpg2的方式，如果输出文件path/to/file_to_be_encrypted.gpg已经存在，则可能会失败。如果您希望覆盖该文件，您应该提供 --yes 选项：
```
gpg2 --batch --yes --no-tty --no-use-agent --symmetry --cipher-algo AES256 --passphrase "foobar" /path/to/file_to_be_encrypted
```
当您使用对称加密（就像您所做的那样）时，密码约束 （即使由 gpg-agent 设置为强制）根本不会被应用——它只会起作用。
假设gpg-agent像这样运行（并且让mypasswords文件甚至包含与您的密码完全匹配的禁止模式）：
```
eval $(gpg-agent --daemon --enforce-passphrase-constraints --min-passphrase-len 8 --min-passphrase-nonalpha 4 --check-passphrase-pattern mypasswords)
```
那么你的命令仍然会成功。
简而言之：gpg-agent 不会使其失败~~（除非它因某种原因导致 gpg 崩溃，例如配置错误或缺少可执行文件，而您无法解释这些原因）~~ .
编辑：我刚刚检查过，在对称模式下，即使 gpg-agent 配置错误或者如果 gpg 不正确，gpg2 也会工作 -代理可执行文件丢失。
这不相关，但以防万一：我还验证了当您尝试更改私钥密码而 gpg-agent 丢失或配置错误时会发生什么：gpg2 将报告警告，甚至不会要求新的密码，并继续工作。

来源：

The way you invoke gpg2, it might fail if the output file path/to/file_to_be_encrypted.gpg already exists. If you want the file to be overwritten, you should provide the --yes option:
```
gpg2 --batch --yes --no-tty --no-use-agent --symmetric --cipher-algo AES256 --passphrase "foobar" /path/to/file_to_be_encrypted
```
When you are using symmetric encryption (like you do), the passphrase constraints (even if set to enforced by gpg-agent) will not be applied at all—it will just work.
Say the gpg-agent was run like this (and let the mypasswords file even contain the forbidden pattern that exactly matches your password):
```
eval $(gpg-agent --daemon --enforce-passphrase-constraints --min-passphrase-len 8 --min-passphrase-nonalpha 4 --check-passphrase-pattern mypasswords)
```
Then your command would still succeed.
In short: gpg-agent will not make it fail ~~(unless it crashes gpg for some reason—like wrong configuration or missing executable, which you cannot account for)~~.
EDIT: I've just checked and in symmetric mode gpg2 will work even if gpg-agent is wrongly configured or if the gpg-agent executable is missing.
This is not related, but just in case: I also verified what happens when you try to change the password of your private key while gpg-agent is missing or is wrongly configured: gpg2 will report a warning, will not even ask for the new passphrase, and continue working.