1

I need to use gnupg_decrypt to decrypt a file that is being sent to us but can't get it working.

When I use the gnupg_keyinfo to list all the public keys, it returns an empty array. Does anyone have any idea why this is happening?

The code I am using is:

$res = gnupg_init();
$info = gnupg_keyinfo($res, '');
print_r($info);

Looking at the comments of the above link putting '' as the pattern it should list all keys.

I have set up a public key on my server using the info provided here http://irtfweb.ifa.hawaii.edu/~lockhart/gpg/gpg-cs.html

And when I run gpg --list-keys it shows it as being successfully created.

I have read somewhere that you have to put

putenv('GNUPGHOME=/tmp');

at the top of the page in order for it to work but there is no reference to the key in that folder and I can't find out what location to set with the above.

I also read I may not have permission to the folder the key is stored in but again I am not sure where it is.

Could anyone help with this?

Thank you

To get this working I did the following

chown -R {{user}} ~/.gnupg chmod 600 ~/.gnupg/* chmod 700 ~/.gnupg

Then reimported the key using gnupg_import function

Dan
  • 103
  • 1
  • 13
  • `ls -al ~/.gnupg/`. Verify that directory and the files it contains are accessible by your web server. You may want to try your script from the command line: that will help you decide if it's a permission issue. Something like `php -r 'print_r(gnupg_keyinfo(gnupg_init(), ''));'` – bishop Nov 30 '16 at 17:03
  • Hi bishop, thank you for replying. I have run the script from command line and it worked so I guess that rules out the permissions issue (thanks for the tip by the way). I have posted a screenshot of what is returned from ls -al ~/.gnupg/. It looks ok to me, does it to you? the r's and w's are for read and write correct? – Dan Nov 30 '16 at 17:14
  • Actually, because it *succeeds* on the command line and *fails* in the web server means it *is* a permission issue. Your screen shot shows these files are owned by root, and your web server likely does not run as root. You need to change ownership of these files to that of the web server. Something like `chown -R apache ~/.gnupg`. To find out the web server user something like `ps aux | egrep '(apache|httpd)'`. – bishop Nov 30 '16 at 18:11
  • Hi bishop, I understand now, I ran the same php logged in as another user and it did indeed return the same output as I get running it from the browser. I tried the chown -R {{user}} ~/.gnupg and it hasn't made it work. I put the {{user}} as the user which gets returned when I enter php -r 'echo exec("whoami");' is that correct? When I did the ps aux | egrep '(apache|httpd)' it returned 1 root user and then the rest as nodody. Is this bad? – Dan Dec 01 '16 at 15:10
  • `nobody` is a typical web server child user. You should do `chown -R nobody ~/.gnupg` – bishop Dec 01 '16 at 15:30
  • I did the `chown -R nobody ~/.gnupg` and it still hasn't worked in that I get the empty array when logged in as non root user. Do you any other ideas of what it could be? I apologise for keep asking I am sure you are very busy – Dan Dec 01 '16 at 15:41
  • 1
    Well, the permission problem is likely solved. Now you need to tell PHP where the files are, so try: `echo ~/.gnupg` and then take the output value (like `/root/.gnupg`) and then in your PHP before the `gnupg` calls do `putenv("GNUPGHOME=/root/.gnupg")` – bishop Dec 01 '16 at 15:45
  • Am I echoing the `~/.gnupg` from root user or the user I get when running `echo exec('whoami');` (which I refer to as {{user}} below) as they both return different paths. I have tried a combination of `chown -R nobody ~/.gnupg` `chown -R {{user}} ~/.gnupg` and `chown -R $(whoami) ~/.gnupg` and then for each of those put in `putenv("GNUPGHOME=/root/.gnupg");` or `putenv("GNUPGHOME=/home/{{user}}/.gnupg` and none of them have worked for me. Thank you for all your help with this. – Dan Dec 01 '16 at 16:16
  • 1
    I got this working!!! I used the gnupg_import as suggested by Jens Erat and ran it again and it worked. Thank you for all your help again! – Dan Dec 01 '16 at 17:18

1 Answers1

1

GnuPG has per-user keyrings. Your web server will not run as root user (if it does, change that immediately), so you have to analyze the web server's user and import the secret key under this user account (often called www-data or something similar, which you could also su into). Alternatively, import the key through a PHP script.

Jens Erat
  • 37,523
  • 16
  • 80
  • 96