Anybody with GnuPG or PGP on Windows?

[Stefan Bodewig <bo...@apache.org>]

Hi,

I'd like to have a pgp/gnupg task that would sign files unless they
are up-to-date.  A simple wrapper around <apply> with some facade task
logic to switch between GnuPG/PGP 2.6.x/PGP >= 5.x to accomodate for
the different command line arguments they require.

At least on Unix, this does not involve playing with the spawned
process' stdin as GnuPG and friends read the passphrase by a different
mechanism (from /dev/tty on Unix, I guess).

The following buildfile works for me on Linux using GnuPG or PGP
2.6.3, I have no other PGP version installed so I couldn't test.
Could anybody please try whether the buildfile successfully signs
itself on Windows as well?

Thanks

        Stefan

[no attachments as our mailing-list software and Gnus ar know to play
strange games with each other]

<project default="gpg-sign">

  <target name="gpg-sign">
    <exec executable="gpg">
      <arg value="--sign" />
      <arg value="--detach-sign" />
      <arg value="--armor" />
      <arg value="${ant.file}" />
    </exec>
  </target>

  <target name="pgp2-sign">
    <exec executable="pgp">
      <arg value="-sba" />
      <arg value="${ant.file}" />
    </exec>
  </target>

</project>

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: AW: Anybody with GnuPG or PGP on Windows?

[Peter Donald <pe...@apache.org>]

On Tue, 9 Apr 2002 03:52, Thomas Christen wrote:
> > So I could write a GnuPG task for Unix today and probably never for
> > Windows, bad luck.
>
> When I wrote my GnuPG - Task (which wrapps GnuPG into ant) I faced the same
> problem since we are using ant as our automation facility within the
> production we needed a PGP compatible de-/encryption. Obviously there is no
> secure way to do that - even the mentioned hack with the tty ...
>
> Extract from the GnuPG FAQ
>
> 4.14) How can I use GnuPG in an automated environment?
> You should use the option --batch and don't use pass phrases as there is
> usually no way to store it more secure than the secret keyring itself. 

How about doing something like using the proposed prompt task then passing 
the result data in on stdin and  using the "--passphrase-fd 0" arg.

-- 
Cheers,

Pete

Hey, you sass that hoopy Ford Prefect?

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Anybody with GnuPG or PGP on Windows?

[Stefan Bodewig <bo...@apache.org>]

On Tue, 9 Apr 2002, Peter Donald <pe...@apache.org> wrote:

> So it never needs to be echoes anywhere. You just store it in memory
> in the <input/> task and use it in the gpg task.

<input> will echo it.

Stefan

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Anybody with GnuPG or PGP on Windows?

[Stefan Bodewig <bo...@apache.org>]

On Wed, 10 Apr 2002, Diane Holt <ho...@yahoo.com> wrote:
> --- Stefan Bodewig <bo...@apache.org> wrote:
>> > (Too bad you can't just exec 'stty -echo' :)
>> 
>> Don't laugh, I've tried it some weeks ago - unfortunately it
>> doesn't work.
> 
> It'd work from $HOME/.antrc:

Erm, sure - I wanted to do it from inside Java, not at the shell
level.  An attribute to input that would turn echo off for things like
passwords has been the idea.

>> And even if it did, I wouldn't win anything.  GnuPG and PGP
>> work on Unix and I don't think stty is an option on Windows.

GnuPG doesn't read the passphrase from stdin on Unix - no echo at all
and the input gets to the forked executable automagically.

Stefan

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Anybody with GnuPG or PGP on Windows?

[Diane Holt <ho...@yahoo.com>]

--- Stefan Bodewig <bo...@apache.org> wrote:
> > (Too bad you can't just exec 'stty -echo' :)
> 
> Don't laugh, I've tried it some weeks ago - unfortunately it doesn't
> work.

It'd work from $HOME/.antrc:

#!/bin/sh

echo -n "Password: "
stty -echo
read passwd
stty echo
ANT_OPTS="$ANT_OPTS -Dpasswd=$passwd"

Of course, if you didn't want to always prompt for a password, you'd need
to beef up the script a bit (probably have it parse the Ant command line
for a particular target -- and, of course, you'd only be able to run that
target from the command line, not as a dependency).

> And even if it did, I wouldn't win anything.  GnuPG and PGP
> work on Unix and I don't think stty is an option on Windows.

I'm not sure I follow this (except the bit about Windows not having 'stty'
:), but then again, I wasn't following this thread until your post about
not being able to turn echo'ing keyboard input off in Java.

Diane

=====
(holtdl@yahoo.com)



__________________________________________________
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://taxes.yahoo.com/

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Anybody with GnuPG or PGP on Windows?

[Stefan Bodewig <bo...@apache.org>]

On Tue, 9 Apr 2002, Diane Holt <ho...@yahoo.com> wrote:
> --- Stefan Bodewig wrote:

>> (I couldn't find a way to suppress echo from within Java yet).
> 
> http://www.jguru.com/faq/view.jsp?EID=23448

Yes, I know that trick, but Ant won't give the task access to
System.out.  System.out is hidden behing Ant's logging system, which
in turn is line-buffered, no chance.

> (Too bad you can't just exec 'stty -echo' :)

Don't laugh, I've tried it some weeks ago - unfortunately it doesn't
work.  And even if it did, I wouldn't win anything.  GnuPG and PGP
work on Unix and I don't think stty is an option on Windows.

Stefan

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Anybody with GnuPG or PGP on Windows?

[Diane Holt <ho...@yahoo.com>]

--- Stefan Bodewig wrote:
> (I couldn't find a way to suppress echo from within Java yet).

http://www.jguru.com/faq/view.jsp?EID=23448

Don't stop at the short answer -- scroll down for the "Eraser" workaround.
(Too bad you can't just exec 'stty -echo' :)

Diane


=====
(holtdl@yahoo.com)



__________________________________________________
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://taxes.yahoo.com/

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Anybody with GnuPG or PGP on Windows?

[Peter Donald <pe...@apache.org>]

On Tue, 9 Apr 2002 19:17, Stefan Bodewig wrote:
> Actually I just wanted an interactive version to start with, and using
> exec as is works perfectly well on Unix.
>
> Peter's suggestion may work, but it means that Ant will store the
> passphrase somewhere (even if it was just for the time the build is
> running) *and* the passphrase was echoed to the terminal you used to
> invoke Ant (I couldn't find a way to suppress echo from within Java
> yet).

I am not sure I understand you exactly. What I was suggesting was passing in 
the passphrase on a filedescriptor (stdin in the example). So it never needs 
to be echoes anywhere. You just store it in memory in the <input/> task and 
use it in the gpg task. If you were relaly paranoid you could delete the 
property after ;)

-- 
Cheers,

Pete

--------------------------------------------------
"An intellectual is someone who has been educated 
beyond their intelligence."
--------------------------------------------------

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Anybody with GnuPG or PGP on Windows?

[Stefan Bodewig <bo...@apache.org>]

On Mon, 8 Apr 2002, Thomas Christen <ch...@active.ch> wrote:

> Obviously there is no secure way to do that - even the mentioned
> hack with the tty ...
>
> Extract from the GnuPG FAQ
> 
> 4.14) How can I use GnuPG in an automated environment?

Actually I just wanted an interactive version to start with, and using
exec as is works perfectly well on Unix.

Peter's suggestion may work, but it means that Ant will store the
passphrase somewhere (even if it was just for the time the build is
running) *and* the passphrase was echoed to the terminal you used to
invoke Ant (I couldn't find a way to suppress echo from within Java
yet).

Stefan

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

AW: Anybody with GnuPG or PGP on Windows?

[Thomas Christen <ch...@active.ch>]

> So I could write a GnuPG task for Unix today and probably never for
> Windows, bad luck.

When I wrote my GnuPG - Task (which wrapps GnuPG into ant) I faced the same
problem since we are using ant as our automation facility within the
production we needed a PGP compatible de-/encryption. Obviously there is no
secure way to do that - even the mentioned hack with the tty ...

Extract from the GnuPG FAQ

4.14) How can I use GnuPG in an automated environment?
You should use the option --batch and don't use pass phrases as there is
usually no way to store it more secure than the secret keyring itself. The
suggested way to create the keys for the automated environment is:

On a secure machine:

If you want to do automatic signing, create a signing subkey for your key
(edit menu, choose "addkey" and the DSA). [H LI] Make sure that you use a
passphrase (Needed by the current implementation)
gpg --export-secret-subkeys --no-comment foo >secring.auto
Copy secring.auto and the public keyring to a test directory.
Cd to this directory.
gpg --homedir . --edit foo and use "passwd" to remove the pass-phrase from
the subkeys. You may also want to remove all unused subkeys.
copy secring.auto to a floppy and carry it to the target box
On the target machine:
Install secring.auto as secret keyring.
Now you can start your new service. It is a good idea to install some
intrusion detection system so that you hopefully get a notice of an
successful intrusion, so that you in turn can revoke all the subkeys
installed on that machine and install new subkeys.

Regards
Thomas Christen


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Anybody with GnuPG or PGP on Windows?

[Stefan Bodewig <bo...@apache.org>]

On Fri, 5 Apr 2002, Nico Seessle <ni...@apache.org> wrote:

> GPG does not work if your key is protected by a passphrase. 

Which it should be, of course.

So I could write a GnuPG task for Unix today and probably never for
Windows, bad luck.

Stefan

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

xdoclet

[Ara Abrahamian <ar...@yahoo.com>]

Hi everybody,

OK, Ant is fun but at xdoclet team we're having trouble with it :-) I
think we're a very important customer of yours (a 2.5MB Ant plugin!), so
please help us ;-)

The problem is Ant's introspection mechanism. XDoclet has some very
interesting requirements, and Ant 1.x's introspection code stops us. We
need a more dynamic introspection mechanism. Basically what we're trying
to do is make xdoclet more modular. We don't want to define
createWeblogic() or createJboss() methods in EjbDocletTask. It's silly
to hard-code them there. We want to create an EjbDocletTask (true for
other tasks such as webdoclet too) which finds subtasks such as
WeblogicSubTask/etc at runtime, loads and instantiates it and lets Ant
configure it. You know Ant expects to see addWeblogic/createWeblogic/etc
kind of methods in the task. But we don't want to define these methods.
We want to look at something like a properties file (basically very
similar to antlib stuff) and load all subtasks dynamically at runtime.

But we can't because the introspection code is hardcoded and not
extensible. Erik came up with a good solution actually but Peter vetoed
it AFAIK. We came up with a hack for this problem: use BCEL to define
all those createBlabla methods. I need advice from Ant gurus for this
case. Is it feasible? What's your suggestion? Note that we need it now
not a year later.

One of our team members has done an Ant-less proof of concept test for
it. Here is a snippet from his email:

<Aslak>
Here is how it works: A special class loader loads the original [task]
class. Before it returns the class, it instruments it with BCEL and adds
an arbitrary number of createBlaBla methods.

At the moment I have hardcoded what methods to create, but this can be
figured out by looking at the deployment descriptors (which I haven't
toyed with yet).

The issue is how do we tell Ant to use the instrumenting class loader? I
have taken a brief look at Ant's Taskdef and its Definer. I think we
need to subclass Taskdef and override the execute() method to use our
own class loader. It means that we'll need 2 taskdefs to use XDoclet
this way (until the Ant guys make it simpler for us).

<taskdef name="xtaskdef" classname="xdoclet.XTaskdef"/> <xtaskdef
name="ejbdoclet" classname="xdoclet.ejb.EjbDocletTask"/>

I haven't done this yet. Currently the proof of concept is a standalone
class, and is not run from Ant.

XTaskdef will do the business of looking at all the optional jars'
META-INF/xdoclet.xml to figure out what subtasks exist and instrument
the appropriate XDoclet Ant tasks using the instrumenting class loader.
</Aslak>

Thanks in advance,
Ara.



_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Anybody with GnuPG or PGP on Windows?

[Nico Seessle <ni...@apache.org>]

----- Original Message ----- 
From: "Stefan Bodewig" <bo...@apache.org>
To: <an...@jakarta.apache.org>
Sent: Thursday, April 04, 2002 2:05 PM
Subject: Anybody with GnuPG or PGP on Windows?


> At least on Unix, this does not involve playing with the spawned
> process' stdin as GnuPG and friends read the passphrase by a different
> mechanism (from /dev/tty on Unix, I guess).
> 
> The following buildfile works for me on Linux using GnuPG or PGP
> 2.6.3, I have no other PGP version installed so I couldn't test.
> Could anybody please try whether the buildfile successfully signs
> itself on Windows as well?

GPG does not work if your key is protected by a passphrase. 

Nico




--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>