Page MenuHome GnuPG
Create Task
Maniphest T5646

indicate wrong passphrase via exit status
Closed, ResolvedPublic
Actions

Description

Hey.

Would it be possible to indicate cases of a wrong passphrase with a dedicated exit status?
Like when:

  • passphrase for the private key was wrong
  • passphrase from which directly a session key is derived was wrong
  • passphrase with which a session key is decrypted was wrong

Right now that simply seems to be exit status 2 like in many other cases.

I think the differences from these to other error conditions is, that they are likely solvable (by re-entering the correct passphrase) - unlike e.g. things like invalid MDC.
Therefore it would make some sense to have a dedicated exit status, so that e.g. in shell scripting one can easily deduce: oh it makes sense to repeat, as likely just the passprhase was wrong

Sure one could also examine the error messages, but I think these are subject to localisation and the stderr may not always be easily obtainable (at least not just the part what gpg would have printed to it).

Thanks for considering.

Cheers,
Chris.

Event Timeline

calestyo created this task.Oct 9 2021, 6:15 PM
werner closed this task as Resolved.Oct 10 2021, 4:15 PM
werner claimed this task.
werner edited projects, added FAQ, gnupg; removed Feature Request.
werner added a subscriber: werner.

Please use the --status-fd interface. This yields all the info you need. An exit code is not distinct enough for such purpose and you need to check the status lines in any case. For scripting gpgme-tool or gpgme-json might be useful as well because they do all the nitty-gritty parts of using gpg correctly

calestyo added a comment.Oct 10 2021, 5:12 PM

Hey.

I did in fact check --status-fd before, but I'm not sure whether it gives me the information I wanted.

When decrypting a file, and using a wrong password it does this:

$ gpg --status-fd 2 --decrypt keyfile.gpg
gpg: AES256.CFB encrypted data
[GNUPG:] NEED_PASSPHRASE_SYM 9 3 10
[GNUPG:] PINENTRY_LAUNCHED 8267 curses 1.1.0 /dev/pts/0 xterm-256color -
gpg: encrypted with 1 passphrase
[GNUPG:] BEGIN_DECRYPTION
[GNUPG:] DECRYPTION_COMPLIANCE_MODE 23
[GNUPG:] DECRYPTION_INFO 2 9 0
[GNUPG:] PINENTRY_LAUNCHED 8268 curses 1.1.0 /dev/pts/0 xterm-256color -
[GNUPG:] DECRYPTION_FAILED
gpg: decryption failed: Bad session key
[GNUPG:] END_DECRYPTION

I think the line of interest would be [GNUPG:] DECRYPTION_FAILED, but that in turn seems to mean:

*** DECRYPTION_FAILED
    The symmetric decryption failed - one reason could be a wrong
    passphrase for a symmetrical encrypted message.

which sounds rather quite broad... i.e. not just a wrong passphrase,.. but e.g. also a wrong MDC?

I wanted to avoid GPGME, cause AFAIU its fully on top of gpg and as such just extra dependencies, which is normally no problem at all, but what I'm doing is happening in the initramfs and want to try to keep that small but not adding extra stuff unless strongly needed.

Thanks,
Chris.