Powershell Script PGP

Dorian · March 19, 2024, 8:36am

Hello,

I need to make a powershell script that changes a depose file into a pgp encrypted file. The problem is that for it to be self-sufficient, I need to be able to pass the o/N validation when executing the script.
Here’s my script, which currently works, but it requires a validation that I don’t want. I’d like it to validate silently.

# Chemin du dossier à surveiller
$cheminDossier = "C:\Users\AD14140\Desktop\Test GPG"

# Création d'un objet pour surveiller les changements dans le dossier
$watcher = New-Object System.IO.FileSystemWatcher
$watcher.Path = $cheminDossier
$watcher.IncludeSubdirectories = $false
$watcher.EnableRaisingEvents = $true

# Action à effectuer lorsqu'un fichier est créé dans le dossier surveillé
$actionCréationFichier = {
    $cheminFichier = $Event.SourceEventArgs.FullPath
    $nomFichier = $Event.SourceEventArgs.Name
    if ($nomFichier -like "*.xml") {
        Write-Host "Nouveau fichier détecté : $nomFichier"
        #importation de la cle publique
        #gpg --import "PGP Production C64B93CD.asc"
        #Preparation de la variable pour le fichier crypter
        $cheminFichierGPG = $cheminFichier.Substring(0, $cheminFichier.Length - 3) + "asc"

        $arguments = "--output `"$cheminFichierGPG`" --encrypt --recipient customer_support@kyriba.com `"$cheminFichier`""
        # Lancement de la commande gpg pour crypter le fichier
        Start-Process "gpg" -ArgumentList $arguments -Wait 
    
        # Suppression du fichier non crypté
        Remove-Item $cheminFichier
        #Write-Host "Fichier crypté créé et fichier original supprimé."
    }
}

# Associer l'action de création de fichier au watcher
Register-ObjectEvent $watcher "Created" -Action $actionCréationFichier

# Attendre que le script soit terminé
try {
    while ($true) {
        # Boucle infinie pour maintenir le script en cours d'exécution
        Start-Sleep -Seconds 1
}
} finally {
    # Une fois la boucle terminée, supprimer l'observateur
    Unregister-Event -SourceIdentifier FileSystemWatcher.Created
    $watcher.Dispose()
}

cklassen · March 21, 2024, 8:38am

Welcome to this forum, @Dorian!

I can’t see that the script is validating anything. Or do you mean something else? When you encrypt to a key you didn’t trust yet, GnuPG shows the message There is no assurance this key belongs to the named user. Do you mean this? Then you could use the option --always-trust to skip the message (of course to your own risk). It could also help you to look at this manual with options for GnuPG.

A hint for future posts: It is easier to understand your problem, if you share code examples with English comments and variable names

Dorian · March 25, 2024, 7:42am

Hello cklassen,

Thanks for the answer quickly.

He say that is not exist (gpg: Note: “–always-trust” is not considered an option)
Do you have a other solution ?

A reminder, i want to make this sentence disapeer :

Thanks alot !

Dorian

aheinecke · March 25, 2024, 8:41am

the option is “–trust-model always” but this might make your script insecure if someone tricks you into importing a different key. It is better to use --batch --yes --lsign-key once for each new key. Or to at least use the fingerprint instead of the userid.

As a Tipp: I found that LLMs like ChatGPT are really good for scripting GnuPG.

Dorian · March 25, 2024, 9:55am

I have tried this option but he cannot find again.

Could you send me the entire command ?
This is my command :
“–output "$FileGPG” --encrypt --recipient "$email" "$filepath""

Thanks !

aheinecke · March 25, 2024, 12:24pm

“–batch --yes --trust-model always --output "$FileGPG ”–recipient "$email --encrypt – " "$filepath “”

Adding batch and yes is always helpful e.g. if you would otherwise be asked. I suspect you added the option in the end and so it is not considered as option because it comes after the command.

Add a – before the filepath to ensure no one injects anything with malicous file names.