以下简短的python脚本接受三个命令行参数:密码短语、输入路径和输出路径。然后它使用密码短语来解密输入路径的内容,并将解密的内容放在输出路径中。
from gpg import Context
import sys
pp = sys.argv[1] # passphrase
enc = sys.argv[2] # input file (assumed to be encrypted)
dec = sys.argv[3] # output file
with open(enc, 'rb') as reader, open(dec, 'wb') as writer, Context() as ctx:
try:
ctx.decrypt(reader, sink=writer, passphrase=pp)
except Exception as e:
print(str(e), file=sys.stderr)
只要提供正确的口令,这个解密就很好,但是它显然导致了这种正确的口令的缓存,因此任何后续的解密尝试都不会成功,而不管所提供的密码短语是什么。(我在这篇文章的最后给出了一个更完整的说明,以及版本细节。)
显然,有一些密码短语缓存正在进行,但我不太了解细节。
我想知道的是:如何修改python脚本,使其禁用密码短语的缓存?请注意,我对如何在脚本之外禁用密码短语缓存不感兴趣!我希望脚本自动禁用密码短语缓存。有可能吗?
这是我上面提到的一个详细例子。脚本
./demo.py
是我在上面列出的源代码。重要提示:下面给出的代码仅在我从命令行执行时才显示。如果我将它放在一个文件中,并将其作为脚本执行(或源代码),那么使用错误密码短语的所有解密都将失败,而不管以前使用正确密码短语成功解密的情况如何。# Prologue: preparation
# First, define some variables
% ORIGINAL=/tmp/original.txt
% ENCRYPTED=/tmp/encrypted.gpg
% DECRYPTED=/tmp/decrypted.txt
% PASSPHRASE=yowzayowzayowza
# Next, create a cleartext original:
% echo 'Cool story, bro!' > "$ORIGINAL"
# Next, encrypt the original using /usr/bin/gpg
% rm -f "$ENCRYPTED"
% /usr/bin/gpg --batch --symmetric --cipher-algo=AES256 --compress-algo=zlib --passphrase="$PASSPHRASE" --output="$ENCRYPTED" "$ORIGINAL"
# Confirm encryption
% od -c "$ENCRYPTED"
0000000 214 \r 004 \t 003 002 304 006 020 % q 353 335 212 361 322
0000020 U 001 w 350 335 K 347 320 260 224 227 025 275 274 033 X
0000040 020 352 002 006 254 331 374 300 221 265 021 376 254 9 $ <
0000060 233 275 361 226 340 177 330 ! c 372 017 & 300 352 $ k
0000100 252 205 244 336 222 N 027 200 | 211 371 r Z ] 353 6
0000120 261 177 b 336 026 023 367 220 354 210 265 002 : r 262 037
0000140 367 L H 262 370
0000146
# Now, the demonstration proper.
# Initially, decryption with the wrong passphrase fails:
% rm -f "$DECRYPTED"
% python ./demo.py "certainly the wrong $PASSPHRASE" "$ENCRYPTED" "$DECRYPTED"
gpgme_op_decrypt_verify: GPGME: Decryption failed
# Decryption with the right passphrase succeeds:
% rm -f "$DECRYPTED"
% python ./demo.py "$PASSPHRASE" "$ENCRYPTED" "$DECRYPTED"
% od -c "$DECRYPTED"
0000000 C o o l s t o r y , b r o !
0000020 \n
0000021
# After the first successful decryption with the right
# passphrase, decryption with the wrong passphrase always
# succeeds:
% rm -f "$DECRYPTED"
% python ./demo.py "certainly the wrong $PASSPHRASE" "$ENCRYPTED" "$DECRYPTED"
% od -c "$DECRYPTED"
0000000 C o o l s t o r y , b r o !
0000020 \n
0000021
# Some relevant version info
% python -c 'import gpg; print((gpg.version.versionstr, gpg.version.gpgme_versionstr))'
('1.10.0', '1.8.0')
% gpg --version
gpg (GnuPG) 2.1.18
libgcrypt 1.7.6-beta
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /home/kj146/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
% python --version
Python 3.5.3
% uname -ar
Linux parakeet 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2 (2017-04-30) x86_64 GNU/Linux
最佳答案
在cgpgme
库(这是您使用的python库正在包装的)中挖掘,有:
https://www.gnupg.org/documentation/manuals/gpgme/Context-Flags.html#Context-Flags
"no-symkey-cache"
For OpenPGP disable the passphrase cache used for symmetrical en- and decryption.
This cache is based on the message specific salt value. Requires at least GnuPG
2.2.7 to have an effect.
我不确定上下文是如何与文件系统或GPG代理交互的,但您的第一次尝试应该将此标志设置为true。