Automated importing of keys
Neil Williams
linux at codehelp.co.uk
Thu Jan 29 13:52:15 CET 2004
On Wednesday 28 Jan 2004 10:48 pm, Derek S. Graham wrote:
> Hello-
>
> I am working on a project where we are using GPG in an automated
> environment to pull encrypted files from a DMZ server and automatically
> decrypt them and move them to a specified location. All this is working
> fine. The problem I have is I need a script (Perl) that an administator
There is a Perl module that can interface directly with GnuPG. It can retrieve
public keys from the keyserver specified in the .gnupg/gpg.conf or
.gnupg/options file with or without the auto-key-retrieve option. Just
install GnuPG::Interface from CPAN, set the correct <path> in the $homedir
variable and populate the @keylist array.
#!/usr/bin/perl -w
use IO::Handle;
use GnuPG::Interface;
use strict;
my $homedir = "/home/<path>/.gnupg";
my $gnupg;
my $input = IO::Handle->new();
my $error = IO::Handle->new();
my $output = IO::Handle->new();
my $encrypthandles = GnuPG::Handles->new( stdin => $input,
stdout => $output, stderr => $error );
my $pid;
my @keylist;
my $idlist;
my @ciphertext;
$gnupg = GnuPG::Interface->new();
$gnupg->options->hash_init( armor => 1, homedir => $homedir );
$gnupg->options->meta_interactive( 0 );
# ===============================================
# Update the keys in the @keylist array in the local keyring
foreach $idlist (@keylist) {
$pid = $gnupg->recv_keys( handles => $encrypthandles,
command_args => "$idlist" );
@ciphertext = <$error>;
close $output;
close $error;
waitpid $pid, 0;
}
That's a snippet from a working script - it should work unless I've
inadvertently omitted a line in the (more complex) original script.
Rather than running this manually, if you use apache or some other process
that already runs as the specified user, Perl will behave in the same
environment. e.g. you could run it as a .pl file in a cgi-bin or as a cron
task or directly from the application (or one of it's supporting scripts).
The public key ID strings (in my case) are held in MySQL which makes it
simplicity itself to update the list. The script/application/cron can take
care of the rest. MySQL can cope easily with only allowing access to the
relevant table to certain users.
Ain't open source great!
--
Neil Williams
=============
http://www.codehelp.co.uk/
http://www.dclug.org.uk/
http://www.isbn.org.uk/
http://sourceforge.net/projects/isbnsearch/
http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: signature
Url : /pipermail/attachments/20040129/400bae62/attachment.bin
More information about the Gnupg-users
mailing list