Page MenuHome GnuPG

2.2.21 breaks passphrase-repeat and password checking
Closed, ResolvedPublic


On macOS 10.14.6 here.

I just built gpg 2.2.21. To my surprise, when I symmetrically encrypt a file I am now hounded by pinentry about (a) the length of my passphrase, (b) how many special characters are in my passphrase. Also, (c) it demands that I enter the passphrase again even though passphrase-repeat 0 is in my gpg.conf.

It seems to me that (c) must be a bug. passphrase-repeat 0 has been in my gpg.conf for at least 8 years and I have never experienced this nag before.

I could workaround (a) and (b) my appending settings for min-passphrase-len and min-passphrase-nonalpha. But since (as far as I can tell) there is no mention of any changes regarding passphrase requirements in the release notes, I suspect that this might be a bug too.

Event Timeline

chdiza created this object in space S1 Public.
werner added a subscriber: werner.

Right 2.2.21 fixes a long standing bug in symmetric encryption in that the configured passphrase constraints were not checked. Eventually we will add a second sec of constraints here but for now the same constrains as for private key protection are used.

Do you configured gpg so that you did not get a passphrase confirmation? If so, is that a real world use case? The odds for a typo in a hidden field are quite high and thus the recipient would run into trouble. Better be sure about the passphrase when sending. But well you decision.

I have not checked the code yet but it is likely that I introduced such a bug.

Do you configured gpg so that you did not get a passphrase confirmation?

I have a gpg.conf that consists of a single line: passphrase-repeat 0. Until I had to append some settings to disable the nagging about password characteristics, I had a gpg-agent conf that consisted of two lines: one that sets default-cache-ttl and one that sets pinentry-program.

If so, is that a real world use case?

Yes. I encrypt local files only for myself, not for transmission to others. I have the passwords in deep muscle-memory; thus if I make a typo while setting a password there are a manageably small number of ways in which I might have done it wrong.

Here is another thing worth reporting. I found that passphrase-repeat is entirely ignored, regardless of the value set.

E.g., I set it to 4 and tried to symmetrically encrypt a file. I expected it to ask for the passphrase four times, but it only asked twice. So it isn't just my nonstandard setting of 0 that isn't working.

Thanks for reporting. Fixed for 2.2.22. repeat==0 works like before and repeat>1 also (that is several passphrase pinentries will pop up).