Re: GnuPG not working when in BATCH (564 Views)
Reply
Frequent Advisor
Brian  Schenkenberger
Posts: 73
Registered: ‎12-17-2004
Message 1 of 22 (753 Views)

GnuPG not working when in BATCH

A client has a command procedure to pull encrypted files from an ftp site and then decrypt them  They now want to do this on a nightly basis and tried putting their procedure in a resubmitting BATCH job.

 

Interactively, their command procedure works to decrypt the files with this line doing the PGP decryption:

 

$ PIPE gpg -v  --no-tty --passphrase-fd 0 --output "file.csv" --decrypt "file^.csv.pgp" < PASSPHRASE.TXT

 

However, in BATCH, the 'gpg' command seem to go into an infinite loop.

 

I thinking something is confusing the'gpg --passphrase-fd 0..." in batch mode.

 

 

Please, no lectures about the PASSPHRASE in a file...

Please use plain text.
Frequent Advisor
Brian  Schenkenberger
Posts: 73
Registered: ‎12-17-2004
Message 2 of 22 (748 Views)

Re: GnuPG not working when in BATCH

FWIW,  I founf that just trying to use GPG in batch is the problem:

 

$ SET PROCESS/PARSE_STYLE=EXTENDED
$ @SYS$COMMON:[GnuPG]GnuPG_SETUP.COM
$ GPG   == "$SYS$COMMON:[GNUPG.GNUPG-1_4_11A_VMS.G10.ALPHAL]GPG.EXE
$ GPGV  == "$SYS$COMMON:[GNUPG.GNUPG-1_4_11A_VMS.G10.ALPHAL]GPGV.EXE
$ gpg -?


Infinite loop! 

 

$ gpg --version
gpg (GnuPG) 1.4.11a
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


 

Please use plain text.
Honored Contributor
Hoff
Posts: 4,905
Registered: ‎01-29-2006
Message 3 of 22 (745 Views)

Re: GnuPG not working when in BATCH

Are you running your the HP GnuPG port, Mr Schweda's port, your own port, or some other port?  

 

If you're not running Mr Schweda's port, start there.  Failing that, maybe try your own port?

Please use plain text.
Frequent Advisor
Brian  Schenkenberger
Posts: 73
Registered: ‎12-17-2004
Message 4 of 22 (743 Views)

Re: GnuPG not working when in BATCH

The GnuPG on the HP site.

 

Please use plain text.
Honored Contributor
Hoff
Posts: 4,905
Registered: ‎01-29-2006
Message 5 of 22 (741 Views)

Re: GnuPG not working when in BATCH

Then definitely try Steven's GnuPG port.
Please use plain text.
Frequent Advisor
Brian  Schenkenberger
Posts: 73
Registered: ‎12-17-2004
Message 6 of 22 (739 Views)

Re: GnuPG not working when in BATCH

I stand corrected:

 

$SYS$COMMON:[GNUPG.GNUPG-1_4_11A_VMS.G10.ALPHAL]GPG.EXE

-------------------------------------------------^^^^^^^^

 

I looked at the HP site and that version is 1.4.7.

Please use plain text.
Frequent Advisor
Brian  Schenkenberger
Posts: 73
Registered: ‎12-17-2004
Message 7 of 22 (738 Views)

Re: GnuPG not working when in BATCH

Definitely  Steven M. Schweda's build... as per SYS$COMMON:[GNUPG.GNUPG-1_4_11A_VMS.VMS]VMS_NOTES.TXT...

 

   When reporting problems, especially build problems, with GnuPG for
VMS, it is often useful to reveal precise compiler, run-time library,
and VMS version information.  The program DECC_VER.C (included in the
kit) is intended to make that easier.

------------------------------------------------------------------------

   Steven M. Schweda               sms@antinode.info
   382 South Warwick Street        (+1) 651-699-9818
   Saint Paul  MN  55105-2547



Please use plain text.
Honored Contributor
Steven Schweda
Posts: 9,058
Registered: ‎02-23-2005
Message 8 of 22 (727 Views)

Re: GnuPG not working when in BATCH

>    When reporting problems, [...]

 

   While it's always gratifying to see one's advice quoted, it can be
even more satisfying when it's followed.


> However, in BATCH, the 'gpg' command seem to go into an infinite loop.

 

   Apparently something does.  I'd never tried:
      pipe gpg --passphrase-fd 0 ... < pp.txt
but it does seem to loop.  What did work for me were things like:
       pp_symb = "Pass Phrase"
       pipe write sys$output pp_symb | gpg --passphrase-fd 0 ...
and:
       pipe type pp.txt | gpg --passphrase-fd 0 ...


Both seem satisfactory in and out of batch mode.

 

   When I get bored enough, I might look into what's happening in the
"pipe gpg --passphrase-fd 0 ... < file" case.  I should be able to add a
usage note on the Web page, if nothing else.

Please use plain text.
Honored Contributor
John Gillings
Posts: 2,992
Registered: ‎07-31-2003
Message 9 of 22 (724 Views)

Re: GnuPG not working when in BATCH

Brian,

   Maybe instead of using PIPE input redirection, try DEFINE/USER. For example:

 

$ DEFINE/USER SYS$INPUT PASSPHRASE.TXT

$ gpg ....

 

or possibly:

 

$ DEFINE/USER SYS$COMMAND PASSPHRASE.TXT

$ gpg ....

 

With Unix utilities I've sometimes found it necessary to redirect SYS$COMMAND when running in batch mode:

 

$ DEFINE/USER SYS$COMMAND NL:

$ PIPE gpg... < PASSPHRASE.TXT

 

Never quite understood why. It may have something to do with the assumptions about input streams and the differences between Unix and VMS.

A crucible of informative mistakes
Please use plain text.
Honored Contributor
The Brit
Posts: 1,287
Registered: ‎06-18-2007
Message 10 of 22 (713 Views)

Re: GnuPG not working when in BATCH

Brian,  

 

this works for us.

 

$ pipe ty <Passphrase_File> | GPG --output 'Decr_File' --decrypt 'Encr_File'

 

Dave.

Please use plain text.
Honored Contributor
Steven Schweda
Posts: 9,058
Registered: ‎02-23-2005
Message 11 of 22 (696 Views)

Re: GnuPG not working when in BATCH

> this works for us.
>
> $ pipe ty <Passphrase_File> | GPG --output 'Decr_File' --decrypt 'Encr_File'

   Really?  Without the "--passphrase-fd 0"?  Around here
(interactively):

alp $ pipe type pp.txt | gpg -d -o bat6.out login.com-gpg

You need a passphrase to unlock the secret key for
user: "Steven M. Schweda (Antinode 2011) <sms@antinode.info>"
2048-bit RSA key, ID EFCC5412, created 2011-09-01 (main key ID C6803C31)

Enter passphrase:
[...]

Same for an interactive DCL procedure.  In a batch job:

alp $ type [--]decr_bat6.log
$ Set NoOn
$ VERIFY = F$VERIFY(F$TRNLNM("SYLOGIN_VERIFY"))
gpg: fatal: error disabling terminal echo: illegal i/o function code
secmem usage: 1664/1824 bytes in 4/5 blocks of pool 1824/32768
  SMS          job terminated at  6-SEP-2011 10:04:46.99

  Accounting information:
[...]

alp $ gpg --version
gpg (GnuPG) 1.4.11b
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /SYS$LOGIN/gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128,
        CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2


Please use plain text.
Honored Contributor
The Brit
Posts: 1,287
Registered: ‎06-18-2007
Message 12 of 22 (690 Views)

Re: GnuPG not working when in BATCH

Yes Steven,

 

This is the code being executed (with redactions.)

 

$!

$!         Step 5: De-crypt the file.

$!

$     PMDF Mail /Subject="File ''Encr_File' retrieved from XXXX."   NL:    "EON_Admin"

$     Write sys$output ">>> ''f$time()' Encrypted File Retrieved from XXXX"

$     Open/Append Hist_File LOGS_OB:INVRETR.HIST

$     Write Hist_file ">>> ''f$time()' ''Encr_File' retrieved from XXX..."

$     Close Hist_File

$!

$     Write sys$output ">>> Decrypt the file..."

$     Write sys$output ">>>    ''Encr_File' ==> ''Decr_File'"

$!

$     pipe ty Userroot:[EOD.GNUPG]EON_PP.Txt | GPG --output  'Decr_File'  --decrypt  'Encr_File'

$     Stat = $status

$!

$    Dir/date=(C,M)/Size=all 'FileName'.*

 

and this is the log output.

 

>>> 2-SEP-2011 07:02:59.42 Encrypted File Retrieved from XXXX

>>> Decrypt the file...

>>>    TSS001_INV_20110901_16550_ZIP.PGP ==> TSS001_INV_20110901_16550_ZIP.ZIP

 

gpg: Please note that you don't have secure memory on this system

gpg: WARNING: program may create a core file!

Enter passphrase:

gpg: encrypted with 2048-bit ELG-E key, ID AB95A97F, created 2008-03-11

"Xxxxxx End Night (Testing only) <END_NIGHT@Xxxxxxx.com>"

gpg: Signature made Fri Sep 2 05:58:07 2011 EDT using DSA key ID C2DC5ED6

gpg: Can't check signature: public key not found

 

Directory RRD_ROOT:[000000]

 

TSS001_INV_20110901_16550_ZIP.PGP;1

                                         382978/383031 2-SEP-2011 06:36:28.92

TSS001_INV_20110901_16550_ZIP.ZIP;1

                                         383328/383396 2-SEP-2011 07:03:00.14

 

Total of 2 files, 766306/766427 blocks.

 

This is the version I/we are using.

 

$  gpg --version

gpg: Please note that you don't have secure memory on this system

gpg (GnuPG) 1.4.7

Copyright (C) 2006 Free Software Foundation, Inc.

This program comes with ABSOLUTELY NO WARRANTY.

This is free software, and you are welcome to redistribute it

under certain conditions. See the file COPYING for details.

 

Home: /SYS$LOGIN/gnupg

Supported algorithms:

Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA

Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH

Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224

Compression: Uncompressed, ZIP, ZLIB

 

I apologize if this is not supposed to work.

 

Dave

Please use plain text.
Honored Contributor
Steven Schweda
Posts: 9,058
Registered: ‎02-23-2005
Message 13 of 22 (687 Views)

Re: GnuPG not working when in BATCH

> $  gpg --version

> gpg: Please note that you don't have secure memory on this system

> gpg (GnuPG) 1.4.7

> [...]


   Ah.  That looks like HP's kit, which could account for many things.
I'd need to do some research, but it may be looking at stdin/SYS$INPUT
instead of SYS$COMMAND.

   There are reasons for a complete/useful problem (or other behavior)
report to include versions and other environment info.


> I apologize if this is not supposed to work.

   Accepted.  (Blame HP, not me.  I'm moderately confident that GnuPG is
not supposed to accept a pass phrase from stdin without a special
dispensation ("--passphrase-fd 0").)

Please use plain text.
Honored Contributor
The Brit
Posts: 1,287
Registered: ‎06-18-2007
Message 14 of 22 (683 Views)

Re: GnuPG not working when in BATCH

My process has been in place (in our Production Environment) for 3-4 years without any issues.      Have never felt the need to upgrade (and possibly break) a process which was/is working.

 

However, I realize that time moves on for everyone else, and the old stuff starts to look strange.

 

Dave.

Please use plain text.
Frequent Advisor
Brian  Schenkenberger
Posts: 73
Registered: ‎12-17-2004
Message 15 of 22 (679 Views)

Re: GnuPG not working when in BATCH

[ Edited ]

$ PIPE TYPE 'PASSPHRASE_FILE' | gpg --passphrase-fd 0 ...

 

Works, whereas:

 

$ PIPE gpg --passphrase-fd 0 ... < 'PASSPHRASE_FILE'

 

does not.

 

The later DOES work INTERACTIVEly and in SPAWNed subprocesses.

 

For now, this will get the client rolling but it would be nice to know why --passphrase-fd 0 ... < 'PASSPHRASE_FILE' doesn't work in BATCH.

Please use plain text.
Frequent Advisor
Brian  Schenkenberger
Posts: 73
Registered: ‎12-17-2004
Message 16 of 22 (666 Views)

Re: GnuPG not working when in BATCH

The last report was incorrect.  The BATCH job doesn't loop but it also doesn't decrypt the file.

 

Going back to the  < until this can be sorted out.


Please use plain text.
Frequent Advisor
Brian  Schenkenberger
Posts: 73
Registered: ‎12-17-2004
Message 17 of 22 (664 Views)

Re: GnuPG not working when in BATCH


The Brit wrote:

Brian,  

 

this works for us.

 

$ pipe ty <Passphrase_File> | GPG --output 'Decr_File' --decrypt 'Encr_File'

 

Dave.


That doesn't evem make sense.  Why would you direct from the file into TYPE and output to the pipe (with the | doesn't make sense) when a simple TYPE would suffice?

 

Please use plain text.
Honored Contributor
Steven Schweda
Posts: 9,058
Registered: ‎02-23-2005
Message 18 of 22 (661 Views)

Re: GnuPG not working when in BATCH

> The last report was incorrect.  The BATCH job doesn't loop but it also
> doesn't decrypt the file.

   As I said, it works for me.  And has for a while:

      http://h30499.www3.hp.com/t5/x/x/td-p/5097162

 

I'd expect the batch job log file to offer some info on what went awry.

 

 

> Have never felt the need to upgrade [...]

   I'm not arguing.  I find the key server stuff in mine handy from time
to time, and, while I use this stuff very seldom, I've run into a bunch
of bugs in the HP edition.  For example, if you're looking for my public
key (the one whose pass phrase I can remember, any way):

alp $ gpg --search-keys antinode 2011 schweda
gpg: searching for "antinode 2011 schweda" from hkp server keys.gnupg.net
(1)     Steven M. Schweda (Antinode 2011) <sms@antinode.info>
          2048 bit RSA key C6803C31, created: 2011-09-01
Keys 1-1 of 1 for "antinode 2011 schweda".  Enter number(s), N)ext, or Q)uit > q

And, of course, there are the security/bug fixes in the main code
between versions 1.4.7 and 1.4.11.

 

   And I never see this:

 

> gpg: Please note that you don't have secure memory on this system

 

And I can build the latest stuff on VAX (except for a couple of the hash
algorithms).  And ..., but you get the idea.

Please use plain text.
Honored Contributor
The Brit
Posts: 1,287
Registered: ‎06-18-2007
Message 19 of 22 (661 Views)

Re: GnuPG not working when in BATCH

I'm not sure I understand your reply Brian.     A couple of post ago you wrote

 

> $  PIPE TYPE 'PASSPHRASE_FILE'| gpg --passphrase-fd 0 ...

 

> Works,

 

and I assume here that "PASSPHRASE_FILE" is just a symbol containing the full path to the file containing the passphrase.   Now bear in mind I am using a different, much older version than you, how is this different from what I wrote??

 

i.e.    $ Pipe Ty <passphrase_file> | gpg --output ...

 

where here "<passphrase_file>" is the path to the file containing the passphrase.      

 

Note:    the syntax  "--passphrase-fd 0" does not exist in my version, (or at lease it wasnt required).       My original response was made before the versions were discussed.

 

Finally, I am sorry that this doesn't make any sense to you, however it does apparently make sense to my version of GnuPG and OpenVMS.      I'm afraid that they are the guys that matter in this case.

 

Dave.

 

 

Please use plain text.
Honored Contributor
Steven Schweda
Posts: 9,058
Registered: ‎02-23-2005
Message 20 of 22 (656 Views)

Re: GnuPG not working when in BATCH

   I'd guess that the "<" and ">" in "<Passphrase_File>" are what caused
the confusion.  This stuff gets ambiguous when pipes are involved, and
"<" and ">" are used for multiple purposes..  Especially when one person
is using them in one way, while the other person is using them in
another way.

Please use plain text.
Honored Contributor
Steven Schweda
Posts: 9,058
Registered: ‎02-23-2005
Message 21 of 22 (647 Views)

Re: GnuPG not working when in BATCH

>    Ah.  That looks like HP's kit, which could account for many things.
> I'd need to do some research, but it may be looking at stdin/SYS$INPUT
> instead of SYS$COMMAND.

 

   For the curious but lazy, yes, HP's GnuPG 1.4.7 reads a passphrase
from SYS$INPUT.  My GnuPG for VMS uses ctermid() to identify the
controlling terminal, just as GnuPG normally does on a
UNIX(-like) system.  According to the CRTL HELP, on VMS, ctermid()
returns SYS$COMMAND.  See [.util]ttyio.c:tty_get_ttyname(), and HP's
[.vms]vms_config.h:HAVE_CTERMID (not defined) v. my
[.vms]config.h_vms:HAVE_CTERMID (defined).

Please use plain text.
Honored Contributor
Steven Schweda
Posts: 9,058
Registered: ‎02-23-2005
Message 22 of 22 (564 Views)

Re: GnuPG not working when in BATCH

Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation