5

I need to extend the expiration date of a GPG key, but all the answers or articles I can find do it interactively, for example. I need to embed the logic in a shell script, so wondering how can I do it non-interactively?

Dagang
  • 217
  • 2
  • 6

1 Answers1

4

Suppose you have your key test@test.com and your passphrase for that key is stored in file passphrase.txt, following command will non-interactively change expiration date:

printf "expire\n10w\nsave\n" | gpg --batch --pinentry-mode loopback --passphrase-fd 3 --command-fd 0 --status-fd=2 --edit-key test@test.com 3<passphrase.txt

(If it doesn't work because of pinentry invocation see NOTE below.)

Brief explanation of command:

  • printf "expire\n10w\nsave\n" sends these commands to gpg. expire changes expiry date of key, 10w is 10 weeks, save is obvious.
  • --batch says there will be no user input
  • --pinentry-mode loopback allows piping passphrase file to gpg (see bellow)
  • --passphrase-fd 3 says that file descriptor 3 is where gpg should look for passphrase (note 3<passphrase.txt at the end of command.
  • --command-fd 0 says that file descriptor 0 (or STDIN) is where gpg should source --batch commands from (printf portion in beginning of command).
  • --status-fd 2 says that status goes to 2 (or STDOUT), you might want to direct this to log.
  • --edit-key test@test.com is key we want to edit

This answer should give you a good idea how to "automate" things with gpg. To make this complete you probably want to change expiration of encryption subkey, etc.

NOTE: Current versions of GnuPG don't allow to pipe passphrase easily (they default to gpg-agent and program called pinentry). For sake of simplicity I enabled piping passphrase by adding allow-loopback-pinentry to my gpg-agent.conf. Please note this is not secure and you likely want to implement your own pinentry (or use existing that suits your non-interactive workflow) and then set it in gpg-agent.conf

blami
  • 632