如何使用 php cli 解密 .pgp 文件

Question

It's the first time I need to do this.

I have to code a script in php to run with cli, the script is passed a .zip file which I have to decompress, the files inside are .pgp files and I need to decrypt these files, I have the following code.

function decryptPGPFiles($pgpFiles, $passphrase){
  $res = gnupg_init();
  foreach($pgpFiles as $filename){
    gnupg_adddecryptkey($res,"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",$passphrase);
    $cipher = file_get_contents($filename);
    $plain = gnupg_decrypt($res,$cipher);
    var_dump($plain);
    die;
  }
}

Of course the 'var_dump($plain);' and 'die;' are just for testing. Anyway the $plain is always false. Assume that $pgpFiles is an array of filenames for the .pgp files in the current dir.

I do have a private key with name 'private.gpg' in the current dir and also I know the $passphrase.

I know that the 2nd parameter for the function 'gnupg_adddecryptkey' is a $fingerprint according to php.net, when I run 'gpg --import private.gpg' and then 'gpg --fingerprint' it appears the respective fingerprint and that's the one I'm passing as parameter, anyway the fingerprint appears with several blankspaces and I trim them.

I'm sure I'm not doing the right steps, but I can't find a documentation clear enough for me. It is even possible to decrypt a .pgp file from php cli?

Thanks in advance.

Answer 1

According to a comment on the documentation:

gnupg_decrypt

Mike

As of gnupg version 2, it is not possible to pass a plain password any more. The parameter is simply ignored. Instead, a pinentry application will be launched in case of php running in cli mode. In cgi or apache mode, opening the key will fail. The simplest solution is to use keys without passwords.

Personally, I probably wouldn't use a key without a password as stated above though. I'm still looking for a better solution but something like this has worked for now:

shell_exec("gpg --batch --passphrase \"" . $passphrase . "\" -d $file > $decrypted_file_name");

Consider using this with escapeshellarg() or escapeshellcmd() if passing in potentially dangerous variables.

Answer 2

Have you tried invoking gnupg_geterror() after gnupg_adddecryptkey() ? I suspect your private key is not actually getting accepted. I assume it needs to be in PHP user's GPG keyring (ie whatever or whoever is invoking the script, not necessarily your GPG keyring)? Also in a couple of brief tests I ran, I kept getting prompted for the passphrase on the terminal, but that could be because of my paranoid gpg config (I disable passphrase caching completely). That would definitely break things in a non-interactive scenario...

Another way to trap errors would be to set gnupg_seterrormode() to ERROR_EXCEPTION or similar to see what's actually happening...