Page MenuHome GnuPG

Allow universal --batch more, with STDIN reads
Closed, ResolvedPublic


Please support --batch mode, with STDIN reads, for *all* GPG operations which
would otherwise attempt to interactively read from a tty. This mostly applies to
Unix environments, perhaps all others as well. Classic use-cases include reading
a passphrase and instances like this:

$ printf "5\n" | gpg2 --batch --edit-key 67A92459607354C7 trust quit
... gpg: Sorry, we are in batchmode - can't get input

This should be a simpler alternative than setting the "--xxx-fd" options
individually, if that in fact achieves the same result. (Does it?)

The "meta" use-case is dedicated and securely automated environments using GnuPG
for cryptographic functionality. In this scenario, GnuPG commands come from
scripts and no user is present to answer questions.

Alternately, perhaps an option like --stdin-always for gpg.conf is provided
which means that tty reads always come from STDIN. This style of operation is
more or less the "common expectation" of Unix users when they first encounter GnuPG.




Event Timeline

JohnDB added projects: gnupg, Bug Report.
JohnDB added a subscriber: JohnDB.

An option like --stdout-as-tty may also be needed,
for completeness, to avoid /dev/tty writes.

I explained this already on the mailing list: gpg takes data from stdin but
sometimes need to ask on the tty for a passphrase or confirmation. If you do
not want this use --batch and --with-colons.

The --edit-key interface cannot be operated via stdin because this is a human
only interface. To automate --edit-key you need to use --status-fd and
--command-fd and apply an FSM for processing. This is required to keep the API
stable and to allow extending the --edit-key interface.

GnuPG 2.1 also has a bunch of new commands (--quick-foo) which can be used to do
the most common operations directly from the command line.

werner claimed this task.