GPG command line batch add, "Sign" to existing encrypt process

Hi. Encryption is running great. However, my bank now wants me to add signing (with my key I assume). What do I need to add to the following line to make it happen?

GPG --batch --encrypt --passphrase-fd 0 -r 2A6E1F81 -o “C:\encryptedfiles%%F.pgp” %%F

Much thanks.

Hi,

“-s” to sign using the default key.

“-s -u [keyID]” to use a different key.

Regards,
Sean C.

Thanks. Where should that be placed in the line? I am playing with it now but no success yet. The errors change with placement - most mention a password (is that needed for signing with my key?).
Here is the full file:
SET LOCAL
PATH=%ProgramFiles(x86)%\GNU\GnuPG;%PATH%

“%TMP%~encryptlist.txt” DIR /B “C:\FTP\Bank\outgoingdropfolder”
PUSHD “C:\FTP\Bank\outgoingdropfolder”
FOR /F “delims=” %%F IN (‘MORE ^< “%TMP%~encryptlist.txt”’) DO (
IF EXIST %%F (
ECHO Password|GPG --batch --encrypt --passphrase-fd 0 -r 2A6E1F81 -o “C:\FTP\Bank\encryptedfiles%%F.pgp” %%F
IF ERRORLEVEL == 0 DEL “%%F”
)
)
POPD

DEL “%TMP%~encryptlist.*”
REM This is where we FTP the file out***********

Echo Y|DEL C:\FTP\Banking\encryptedfiles*.*
ENDLOCAL

For signing you need to unprotect your secret certificate with your passphrase.
(One solution to do this unattented is to use a certificate that has not passphrase protection, an empty passphrase.)

The options can be placed somewhere. So “-s” before the --encrypt would be fine.

Best Regards,
Bernhard
ps.: Like my response?
I appreciate if you flattr Gpg4win at https://flattr.com/thing/2053326 Thanks!

Thanks. Please forgive my ignorance. Is it possible (or even prudent) to strip the password out of my signing key? This is in fact the key to my company - seen as a single key in Kleopatra containing both the secret and public (also what the bank is expecting). Would it make more sense to split this into two command lines? Trying to dummy proof it in case I have to deal with it again next year. Thanks again

There are two possibilities:
a) you are always there when the script runs, then you can “unprotect” your signing certificate
b) you want the script to work without you, then the environment running the script need to have the power to access the secret certificate.

In all cases you should take adequate recausions. If your environment in case of b) is very safe, the protection of the secret certificate does not add much protection. On the other hand, if your computing environment is unsafe, even in case of a) you get problems (an attacker may get access to the secret certificate and your passphrase). Chose your own devil. :slight_smile:

Hi. Yes, I need this to run when I am not there. I’ve locked permissions down the batch file and appropriate folders. The server is hardened and sitting behind FW/IPS. At this point I still cannot figure out the command line - kept trying various combinations of the -s. I may simply tell the bank we can’t do it. Ultimately, I would like to look into a product to automate this instead of the batch files. Thanks for all the responses

Well, it only works automated if you do have an empty passphrase on your certificate.
You could try if the command works a second time when you’ve already entered the passphrase a first time.

Thanks all for the assistance. I’ve decided to go a different route - dump the GPG and focus on securing the FTP traffic.