Login/Register
How can I force GPG to accept input from STDIN instead of trying to open a file?
Asked Answered
Solved phpbashlampgnupgpassphrase
E

2

4

I am trying to incorporate GPG's clear-signing of text in a string in a PHP script. I can cause GPG to encrypt text in a string like this:

$encrypted = shell_exec("echo '$text' | gpg -e -a -r [email protected] --trust-model always");

and that works perfectly, with the encrypted text being sent to the $encrypted variable. This proves GNUPGHOME and GNUPG are set up correctly.

However, when I try to produce a clear-signed message in the same way with this:

$text = "googar";

$signature = exec("echo $passphrase | gpg -v --clearsign --no-tty --passphrase-fd 0 '$text' 2>&1 1> /dev/null", $output);

I get this error:

... string(51) "gpg: can't open `googar': No such file or directory"
[3]=>
string(46) "gpg: googar: clearsign failed: file open error"
}

This error is returned with or without the single quotes around the $text variable.

How can I force GPG or shell_exec to treat $text as a pipe instead of it looking for a file?

I need to echo the passphrase in this way. I know, it's 'horribly insecure' because GPG has no way to pass in a passphrase as a variable on the command line.

Estimation answered 8/8, 2011 at 11:43 Comment(0)
S
5

You could use proc_open and create a separate file descriptor for your password:

$descriptorspec = array(
    0 => array("pipe", "r"),
    1 => array("pipe", "w"),
    2 => array("pipe", "w"),
    3 => array("pipe", "r"),
);

$pipes = false;
$process = proc_open("gpg -v --clearsign --no-tty --passphrase-fd 3", $descriptorspec, $pipes);

if(is_resource($process)) {
    fwrite($pipes[3], $passphrase);
    fclose($pipes[3]);

    fwrite($pipes[0], $text);
    fclose($pipes[0]);

    $output = stream_get_contents($pipes[1]);
    $stderr = stream_get_contents($pipes[2]);

    fclose($pipes[1]);
    fclose($pipes[2]);

    $retval = proc_close($process);

    echo "retval = $retval\n";
    echo "output= $output\n";
    echo "err= $stderr\n";
}
Starkey answered 8/8, 2011 at 13:35 Comment(1)
Thank you so much for this, problem solved. I dropped in your code, and it just works. I will study its parts to learn something new. Once again, thanks!Estimation
L
4

You could use process substitution:

echo $passphrase | gpg -v -o- --clearsign --passphrase-fd 0 <(printf "$text")

This will make GPG think it is reading data from a file, but the file will be a temporary named pipe whose input will be printf "$text".

-o- causes GPG to write the message and its signature to standard out.

Limitless answered 8/8, 2011 at 13:20 Comment(2)
Thanks for your answer. It now returns no error, but also does not display the GPG signed output.Estimation
True, no output, because stdout and stderr are piped to /dev/null. Try without 2>&1 1> /dev/nullat the end, and if the result is ok, I will update the answer (I am too lazy to build the test case myself).Limitless

© 2022 - 2024 — McMap. All rights reserved.