Page MenuHome GnuPG

indicate wrong passphrase via exit status
Closed, ResolvedPublic



Would it be possible to indicate cases of a wrong passphrase with a dedicated exit status?
Like when:

  • passphrase for the private key was wrong
  • passphrase from which directly a session key is derived was wrong
  • passphrase with which a session key is decrypted was wrong

Right now that simply seems to be exit status 2 like in many other cases.

I think the differences from these to other error conditions is, that they are likely solvable (by re-entering the correct passphrase) - unlike e.g. things like invalid MDC.
Therefore it would make some sense to have a dedicated exit status, so that e.g. in shell scripting one can easily deduce: oh it makes sense to repeat, as likely just the passprhase was wrong

Sure one could also examine the error messages, but I think these are subject to localisation and the stderr may not always be easily obtainable (at least not just the part what gpg would have printed to it).

Thanks for considering.


Event Timeline

werner claimed this task.
werner edited projects, added FAQ, gnupg; removed Feature Request.
werner added a subscriber: werner.

Please use the --status-fd interface. This yields all the info you need. An exit code is not distinct enough for such purpose and you need to check the status lines in any case. For scripting gpgme-tool or gpgme-json might be useful as well because they do all the nitty-gritty parts of using gpg correctly


I did in fact check --status-fd before, but I'm not sure whether it gives me the information I wanted.

When decrypting a file, and using a wrong password it does this:

$ gpg --status-fd 2 --decrypt keyfile.gpg
gpg: AES256.CFB encrypted data
[GNUPG:] PINENTRY_LAUNCHED 8267 curses 1.1.0 /dev/pts/0 xterm-256color -
gpg: encrypted with 1 passphrase
[GNUPG:] PINENTRY_LAUNCHED 8268 curses 1.1.0 /dev/pts/0 xterm-256color -
gpg: decryption failed: Bad session key

I think the line of interest would be [GNUPG:] DECRYPTION_FAILED, but that in turn seems to mean:

    The symmetric decryption failed - one reason could be a wrong
    passphrase for a symmetrical encrypted message.

which sounds rather quite broad... i.e. not just a wrong passphrase,.. but e.g. also a wrong MDC?

I wanted to avoid GPGME, cause AFAIU its fully on top of gpg and as such just extra dependencies, which is normally no problem at all, but what I'm doing is happening in the initramfs and want to try to keep that small but not adding extra stuff unless strongly needed.