gpgencryption文件没有键盘交互

我运行一个crontab中的下一个命令来encryption一个文件,我不想要一个键盘交互

echo "PASSPHRASE" | gpg --passphrase-fd 0 -r USER --encrypt FILENAME.TXT 

但我有这个答案:

 gpg: C042XXXX: There is no assurance this key belongs to the named user pub 40XXX/C042XXXX 2012-01-11 Name LastName. (comment) <user@email.com> Primary key fingerprint: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX Subkey fingerprint: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX It is NOT certain that the key belongs to the person named in the user ID. If you *really* know what you are doing, you may answer the next question with yes. Use this key anyway? (y/N) 

正如大卫所暗示的,这里的问题是gpg不相信你用来encryption的公钥。 你可以按照他的解释签名。

另一种select – 特别是如果密钥可能会偶尔改变 – 将--trust-model always--trust-model always gpg命令。

以下是手册页中的相关位:

 --trust-model pgp|classic|direct|always|auto Set what trust model GnuPG should follow. The models are: pgp This is the Web of Trust combined with trust signatures as used in PGP 5.x and later. This is the default trust model when creating a new trust database. classic This is the standard Web of Trust as used in PGP 2.x and earlier. direct Key validity is set directly by the user and not calculated via the Web of Trust. always Skip key validation and assume that used keys are always fully trusted. You generally won't use this unless you are using some external validation scheme. This option also suppresses the "[uncertain]" tag printed with signature checks when there is no evidence that the user ID is bound to the key. auto Select the trust model depending on whatever the internal trust database says. This is the default model if such a database already exists. 

这是我的解决scheme,基于gpg2(但我敢打赌,你可以应用类似的技术gpg)

 $ gpg2 --edit-key {recipient email address} > trust > 5 (select 5 if you ultimately trust the key) > save 

这将告诉gpg2完全信任密钥,以便您可以在没有提示的情况下进行encryption

黑客方法:

 echo -n PASSPHRASE > phrase chmod 400 phrase #Make sure ONLY the user running the cron job can read the phrase yes | gpg --passphrase-fd 3 --recipient USER --encrypt FILENAME.txt 3<phrase 

根本的问题是你的用户密钥没有签名。 如果你信任它,你可以用它来签名

 gpg --edit-key USER sign 

它可能会问几个问题,这取决于你的configuration。 这样做一次,那么你应该很好地去你的crontab。 我仍然build议使用我提出的解决scheme,把密码放在一个单独的文件中,并使其只能由运行命令的一个用户读取。 如果你这样做,你可以杀死yes | ,只需要encryption线。

使用这个命令,它会帮助你

 echo "PASSPHRASE" | gpg --passphrase-fd 0 --always-trust -r USER --encrypt FILENAME.TX 

或者签名钥匙(当然,您在指纹识别之后):

 gpg --sign-key <recipient email address> 

之后,你完全信任关键。

  1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately 

我也遇到了这个。 我无法得到签名键来做任何有趣的事情。 以下是我所做的:

创build一个gpg密钥:

 gpg --gen-key 

获得长密钥ID(结果在第5列):

 gpg --list-keys --with-colon name@domain.tld 

将信任的密钥行添加到〜/ gnupg / gpg.conf

 trusted-key 16DIGITALPHANUMERICKEYID 

备份脚本中的gpg行:

 gpg -e -r name@domain.tld backup_file.tgz 

debuggingcron:我还通过将stdout和stderr发送到cron命令行中的日志文件来捕获cron dubugging输出。 知道这很有帮助