Re: [Duplicity-talk] gpg: sign+symmetric

[edgar . soldin]

On 04.10.2011 21:24, Richard wrote:
> Hello,
> 
> The man page for duplicity 0.6.15 says:
> 
>        If  symmetric encryption is used and the signing key is passphrase-pro-
>        tected, the encryption passphrase must  equal  the  passphrase  of  the
>        signing key.
> 
>        This limitation can be circumvented by using gpg-agent for
>        storing the passphrase of the signing key and the  PASSPHRASE  environ-
>        ment  variable for the encryption key or by enabling asymmetric encryp-
>        tion using the --encrypt-key option.
> 
> I have tried the former, but PASSPHRASE is ignored if --use-agent is on:
> duplicity does use the agent to get the signing key, but prompts for
> the symmetric encryption passphrase
> -- which is a little annoying since it has to be entered twice for
> each file to be encrypted.

i tried to reproduce this and played around with gpg a bit

it knows two modi as it seems, notice you have to define the key to sign with 
as default key

1.
'--passphrase-fd 0' plus a piped password, totally ignores gpg-agent, even if 
setup properly
e.g.
echo passphrase | /usr/bin/gpg --sign --default-key 01234567 --passphrase-fd 0 
-o /tmp/out --batch -c /tmp/in


2.
no specific arguments, and no piped data if -o -i are set (this throws a 
general error)
e.g.
/usr/bin/gpg --sign --default-key 01234567 -o /tmp/out --batch -c /tmp/in

the tests lead to the conclusions

signed symmetric encryption with commandline gpg is only possible if either

A. both passphrase (symmetric and sign keys) are entered with gpg-agent
or
B. using '--passphrase-fd 0' and the sign key has an empty passphrase
or
C. using '--passphrase-fd 0' and both passphrase (symmetric and sign keys) are 
identical#

the manpage has to be updated on this


.. ede/duply.net