|gpg hates me now
||[Sep. 21st, 2006|07:15 pm]
I went to hack on brackup after a long break, and it bitches at me now. Or rather, gpg does:
sammy:trunk $ ./brackup --from=brackup --to=amazon \
gpg: 92FDF929: There is no assurance this key belongs to the named user
pub 4096g/92FDF929 2006-03-20 Brad Fitzpatrick <firstname.lastname@example.org>
Primary key fingerprint: E5C8 295F D1AB 7DE1 C5DF 7F68 FB52 E360 5E1B 3EC5
Subkey fingerprint: B269 19C9 1BAD 3458 7B9A B888 B9C6 667B 92FD F929
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N)
That's new. I must've upgraded.
Where's the --just-do-what-i-fucking-say option?
"--recipient", $gpg_rcpt, "--encrypt", "--output=$etmpfn", "--yes", $tmpfn)
and die "Failed to run gpg: $!\n";
Note the --yes. Apparently that means --unless-you-feel-bitchy-in-this-new-version.
Context switch time. No love for Brackup because gpg is full of hate.
In GnuPG's defense... you are trying to encipher to a key that you haven't signed. So, um, sign the key and move on? Do that as part of "install" or "configure"? Or just pass the terminal through?
Honestly, I don't think that --yes should exist at all. This ain't Windows. This is something that people actually trust to provide security/privacy to a somewhat real degree. It's got a pretty good reason to do so when it asks if you're sure.
(Am I missing something?)
You're trying to encipher to your own key?
Okay, so I should actually go look at your code.
It sounds, though, like you're trying to use gpg in a session-specific context. It's not made for that... not even from a code-design point of view, from a cryptology point of view. There are cipher models that are made for that (I hear SSL is popular...) ... but their key models generally suck.
Maybe what you actually want for this job is one of the various gpg-agent thingies?
2006-09-22 04:23 pm (UTC)
I have no clue what I want.
I want to encrypt chunks of files before I spray them across to untrusted parties on the net. Then when I get them back later, I want to be the only person to decrypt the chunks. (assuming I have my private key on a USB stick, a CD, and written down on paper in a vault)
Okay, and ... for that, I just do gpg -e -r <my keyID>, and I don't get whining. I do also have "encrypt-to <my keyID>" in ~/gnupg/gpg.conf (so that I encrypt outgoing email to both me and the recipient by default, so I can read it later). I get whining that my key ID is already on the list, but it's non-fatal. It's possible that they've just changed the behavior... but the fact that the error output says that your trying to encipher to an untrusted key suggests to me that you've somehow dropped session awareness and are, for instance, using a functionally blank keychain in which your key's really not trusted.
If you're doing that on purpose... ie, doing this somewhere without your Real keychain (including, ie, self-sigs), then you really Should move your keychain over, and the encryption won't break. That'd be a "but that's how it's supposed to work" problem.
If you did that, and this is whinging at you despite it, then something's broke, but I'd be glad to take a few sober (hey, it's Saturday night, and I was working until ten minutes ago) moments to figure out what.
You're making me wonder if you are going to seriously spend hours typing your private key back from your printout.
2006-09-27 09:09 pm (UTC)
I'd also have it on CD, USB stick, etc.
But yes, if that was the only way to recover my data, I'd type it in. Or try and OCR it. etc.