|
|
Log in / Subscribe / Register

command line complexity

command line complexity

Posted Jan 21, 2026 17:37 UTC (Wed) by ballombe (subscriber, #9523)
Parent article: Responses to gpg.fail

Debian popularity-contest needs to encrypt a file non-interactively with a fixed, locally available, public PGP key.
This requires the creating of a temporary directory and the use of 11 command line options to gpg:

GPGHOME=`mktemp -d`
gpg --batch --no-options --no-default-keyring --trust-model=always \
--homedir "$GPGHOME" --keyring $KEYRING --quiet \
--armor -o "$POPCONGPG" -r $POPCONKEY --encrypt "$POPCON"
rm -rf "$GPGHOME"

In particular there does not seem any way to specify a public key as a standalone file instead of as a part of a keyring.

to post comments

command line complexity

Posted Jan 21, 2026 18:07 UTC (Wed) by hailfinger (subscriber, #76962) [Link] (1 responses)

Oh wow. According to the man page for Sequoia, this is easier with sq.

sq encrypt --for-file=publickey.pgp message.txt --output message.pgp

command line complexity

Posted Jan 21, 2026 18:33 UTC (Wed) by guillemj (subscriber, #49706) [Link]

With a SOP (Stateless OpenPGP CLI <https://dkg.gitlab.io/openpgp-stateless-cli/>) implementation it is trivial as well:

$ $SOP encrypt cert.pgp <message.txt >message.pgp

Where $SOP can be any of 'sqop', 'rsop', 'gosop', 'pgpainless-cli' (or other implementations) for example.

command line complexity

Posted Jan 21, 2026 18:22 UTC (Wed) by dskoll (subscriber, #1630) [Link]

Yes, trying to script anything with gpg is an absolute nightmare. It was never really designed to be run non-interactively, I think.

Plain text keyring directory.

Posted Jan 21, 2026 23:43 UTC (Wed) by alx.manpages (subscriber, #145117) [Link]

This is also relatively inherent to the fact that gpg(1) uses a binary keyring unnecessarily.

I wish (and suggested in the mailing list some time ago) that the keyring was just a set of plain-text files, similar to how SSH works. That would as a side-effect (likely) make it more easy to specify different files for a given use, or maybe even stdin.

command line complexity

Posted Jan 22, 2026 5:22 UTC (Thu) by jkingweb (subscriber, #113039) [Link]

There's something deeply ironic about a command invocation with eleven options where one of the options is "--no-options".

command line complexity

Posted Jan 22, 2026 11:52 UTC (Thu) by dd9jn (✭ supporter ✭, #4459) [Link] (3 responses)

Available since 2.1.14, released summer 2016 which should even be available in Debian for some years: 
   gpg -e -a --batch  -o "$POPCONGPG" -f "$FILEWITHKEY"  "$POPCON"
I would of use this in a pipeline without -o when sending, though.

command line complexity

Posted Jan 22, 2026 15:36 UTC (Thu) by IanKelling (subscriber, #89418) [Link]

Random anecdote:

I discovered the "gnupg-ring:" option from randomly greping source code. It fixed my problem of working with keyring files after an upgrade. eg: gpg --no-default-keyring --keyring gnupg-ring:/file/path.gpg

command line complexity

Posted Jan 22, 2026 20:12 UTC (Thu) by ballombe (subscriber, #9523) [Link] (1 responses)

Thanks, this is useful!

(gnupg (v1) support was added to Debian in summer 2013).

The full name of the -f option is --recipient-file which is not make this option easy to find, since there is no recipients involved.

command line complexity

Posted Jan 24, 2026 19:13 UTC (Sat) by smcv (subscriber, #53363) [Link]

The option name does make sense if you think of gpg as a system for encrypting and authenticating messages (emails, or messages being submitted via http, or similar). In Debian's popcon, the recipient of the message (which therefore needs to be able to decrypt it) is the popcon server rather than a person, but it's still true that it's the recipient if you think of it that way.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds