It is recommended not to use passphrase-protected keys with this gem.
Remember, RSpec::PGPMatchers
are meant for testing, therefore there is
no security trade-off involved. Nevertheless, passphrase-protected keys are
supported as well. With some hassle, though…
Important
|
This guide was written for GnuPG 2.2. Other versions may require a different set of configuration options. |
Passing the passphrase in gpg.conf
This is the easier option, however it will work only if you use the same passphrase for all the keys.
-
Write GnuPG options to a config file located at
<pgp/home/path>/gpg.conf
:yes batch no-tty use-agent pinentry-mode loopback passphrase <passphrase>
-
Write GnuPG Agent options to a config file located at
<pgp/home/path>/gpg-agent.conf
:allow-loopback-pinentry
-
If GnuPG Agent was running, reload it to pick the updated configuration:
gpgconf --homedir <pgp/home/path> --reload gpg-agent
Passphrase presetting
This is the recommended and more comprehensive solution, though also bit more complicated.
-
Write GnuPG options to a config file located at
<pgp/home/path>/gpg.conf
:yes batch no-tty use-agent
-
Write GnuPG Agent options to a config file located at
<pgp/home/path>/gpg-agent.conf
:allow-preset-passphrase
-
If GnuPG Agent was running, reload it to pick the updated configuration:
gpgconf --homedir <pgp/home/path> --reload gpg-agent
-
Obtain keygrips of password-protected keys you want to use:
gpg --homedir <pgp/home/path> --list-keys --with-keygrip
Note that sometimes you will need a subkey’s keygrip rather than primary key’s one. Subkeys are typically used for message encryption, but can be used for signing as well.
-
Preset passwords for keys:
gpg-preset-passphrase --homedir <pgp/home/path> --preset --passphrase <passphrase> <keygrip>
or (will read passphrase from standard input):
gpg-preset-passphrase --homedir <pgp/home/path> --preset <keygrip>
Note that
gpg-preset-passphrase
is not inPATH
on some systems. For instance, when GnuPG is installed on MacOS via Homebrew, it is located at/usr/local/opt/gnupg/libexec
, which is not inPATH
by default.
Resources
-
The GNU Privacy Guard Manual:
-
"Using gpg-agent on OS X" on wincent.com — main source of inspiration for above writing