gpg encrypt file without keyboard interaction [closed]

bash gnupg crontab

I am running next command within a crontab to encrypt a file and I don't want a keyboard interaction

echo "PASSPHRASE" | gpg --passphrase-fd 0 -r USER --encrypt FILENAME.TXT

but I have this answer:

gpg: C042XXXX: There is no assurance this key belongs to the named user

pub  40XXX/C042XXXX 2012-01-11 Name LastName. (comment) <[email protected]>
 Primary key fingerprint: XXXX XXXX XXXX XXXX XXXX  XXXX XXXX XXXX XXXX XXXX
      Subkey fingerprint: XXXX XXXX XXXX XXXX XXXX  XXXX XXXX XXXX XXXX XXXX

It is NOT certain that the key belongs to the person named
in the user ID.  If you *really* know what you are doing,
you may answer the next question with yes.

Use this key anyway? (y/N)

As David intimated, the problem here is that gpg doesn't trust the public key you're using to encrypt. You could sign the key as he explained.

An alternative--especially if the key might be changing occasionally--would be to tack on --trust-model always to your gpg command.

Here's the relevant bit from the man page:

--trust-model pgp|classic|direct|always|auto

     Set what trust model GnuPG should follow. The models are:

     pgp    This is the Web of Trust combined with trust signatures as used in
            PGP 5.x and later. This is the default trust model when creating a
            new trust database.

     classic
            This is the standard Web of Trust as used in PGP 2.x and earlier.

     direct Key validity is set directly by the user and  not  calculated  via
            the Web of Trust.

     always Skip  key  validation  and  assume that used keys are always fully
            trusted. You generally won't use this unless you  are  using  some
            external  validation  scheme.  This  option  also  suppresses  the
            "[uncertain]" tag printed with signature checks when there  is  no
            evidence that the user ID is bound to the key.

     auto   Select  the  trust  model depending on whatever the internal trust
            database says. This is  the  default  model  if  such  a  database
            already exists.

Here is my solution, based on gpg2 (but I bet you can apply similar technique to gpg)

$ gpg2 --edit-key {recipient email address}  
> trust
> 5 (select 5 if you ultimately trust the key) 
> save

This will tell gpg2 to trust the key fully, so that you can encrypt without prompt


The hack approach: 

echo -n PASSPHRASE > phrase
chmod 400 phrase #Make sure ONLY the user running the cron job can read the phrase
yes | gpg --passphrase-fd 3 --recipient USER --encrypt FILENAME.txt 3<phrase

The underlying problem is that the key you have for USER isn't signed. If you trust it, you can sign it with 

gpg --edit-key USER sign

It will probably ask a couple questions, depending on your configuration. Do this once, then you should be good to go in your crontab. I'd still recommend using the solution I proposed, putting the passphrase in a separate file and making it only readable by the one user that command runs as. If you do that, you can kill the yes |, and just have the encrypt line.

Related

Graphviz: change font for the whole graph?
Static block vs. initializer block in Java? [duplicate]
How can I pass arguments to anonymous functions in JavaScript?
What browsers currently support JavaScript's 'let' keyword?
Guava: Why is there no Lists.filter() function?
Function to concatenate paths?
A 'simple' way to implement Swagger in a Spring MVC application
How do I create a view controller file after creating a new view controller?
Haskell "do nothing" IO, or if without else
What are the signs of crosses initialization?
How does Firefox reader view operate
GitHub keeps saying "This branch is X commits ahead, Y commits behind"