How to import and verify certificate (.gpg) in using command line

Hi Team,

We are using gpg4win-3.1.5.exe for file encryption/decryption. We are automating all the installation steps as part of cloud blue green deployment.

We require powershell/command line script of importing and verifying certificates with passphrase. Our certificates are in gpg, asc and txt formart, some of them using passphrase. Could you please assist on this?

Thanks
Ganesh

Hi,

If you plan to put the passphrase in a script you might want to remove the passphrase completely as usually it does not offer a security advantage if the passphrase is visible in the script anyway.

For import you can do:
gpg --status-fd 1 --import “c:\foo\key.gpg”

You will then get a line like:

[GNUPG:] IMPORT_OK 0 5BFBFFC6C0408D5BB0C9BDF46113F8991A8C17A9

See:
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=doc/DETAILS;h=74a63ef007fdf1903918351ac281847098ab3828;hb=HEAD#l928

For more info about what can be returned by this command.

That will tell you that the import worked.

To verify the passphrase:

gpg --status-fd 1 --passphrase “the passphrase” --pinentry-mode loopback --dry-run --passwd 5BFBFFC6C0408D5BB0C9BDF46113F8991A8C17A9

If “the passphrase” is correct you will get a line: [GNUPG:] SUCCESS keyedit.passwd

Otherwise you will get: [GNUPG:] ERROR keyedit.passwd 67108875

That should be parsable.

Hope this helps,
Andre

P.S.: If this helps you as support in a corporate environment please consider a voluntary payment the next time you download Gpg4win. Thanks!

Hi Andre,

Thanks for your prompt response.

I have tried to use the above command to import the other certificate(.gpg). However its asking me to enter passphrase (which has been provided by the certificate owner).

Please find my below requirements and let me advise to proceed further.
1). Currently we are using Kleopatra (GUI) to import others certificates and to certify it.
2). Some of them has passphrase and we will give it while importing via Kleopatra.
3). When we certify the imported certificates there will be three more steps to choose email, certify and others things.

We are doing the above steps (one time activity) in our on-premise server using Kleopatra. But if we are going to set it up the same in cloud with blue green deployment. we require to automate all the manual steps. So that in case of auto healing/scaling on the server(EC2 instance), all the setup will be installed/configured through scripts.

We have script for GnuPG silent installation. But we are having more challenges to import and certify others certificates using kleopatra.

Would you please able to help on this?

Thanks
Ganesh

Your usecase sounds to me like it would be much better if you would just create one GnuPG Home directory and then copy it over when setting up a new instance. This would save you the hassle of setting it up with a script. All keys etc. are contained in %APPDATA%\gnupg so if you copy that folder everything will be set up.

In general to provide a passphrase on the command line you need to add “–pinentry-mode loopback” and --passphrase “the passphrase”. e.G:

gpg --pinentry-mode loopback --passphrase “test” --import ~/dev/main/div/inte-testdaten/test1-sec.asc

To sign (certify) a key on the command line provide the key you with to use for signing with the “-u” option and use the keyid / fingerprint of the key you wish to certify with the sign-key option.

gpg --batch --yes -u 5EB271E02EF2904E --pinentry-mode loopback --passphrase “test” --sign-key 30D84817E01C25A1

The big problem you have is that the imported secret key will not have ownertrust and so the certified key will not have validity. For this you need to use --edit-key afaik and that is not nice to script. It’s possible but difficult. (Use --status-fd and --command-fd)

Hi Andre,

Thank you very much for your prompt reply. I am using to copy the entire files from the folder %APPDATA%\gnupg into all my new instances.

The given commands has also helped me to do some of the activities.

Thanks
Ganesh