How to prevent gpg from choosing fallback secret key, when --default-key is not found?

Question

I'm calling the following command from a (Perl, bash) script:

gpg --batch --yes --default-key C0FFEEABCDEF0123 --clearsign some_file.txt

But that key (C0FFEEABCDEF0123) does not exist in my keychain, because there is a typo or the key went missing, so gpg can't sign using that key.

When this happens, gpg looks in keychain, finds the "default default" key (meaning the one it would choose without --default-key) and tries to sign with that one.

This results in a password prompt, which halts the script, because that key is encrypted. (I'm expecting one that is not encrypted, because this is a toy prototype.)

How do I make gpg give up if it can't find the specified key?

How do I make it give up if the key is encrypted and it can't be used without a password?

is specifying a keyring file an option? You can restrict what gpg tries via something like --no-default-keyring --keyring --secret-keyring — Abel, Oct 30 '19 at 00:52
@Abel: It's not really an option, because I am already specifying the keyring. Thank you for bringing my attention to all the different keyring command line option choices. — i-g, Oct 31 '19 at 18:37

LegendofPedro · Accepted Answer · 2019-10-30T00:42:51.833

How do I make gpg give up if it can't find the specified key?

gpg --batch --yes -u C0FFEEABCDEF0123 --clearsign some_file.txt

gpg: skipped "C0FFEEABCDEF0123": No secret key
gpg: some_file.txt: clear-sign failed: No secret key

How do I make it give up if the key is encrypted and it can't be used without a password?

You can use the --passphrase-fd --pinentry-mode loopback arguments to provide an empty password (or perhaps change the pinentry program?).

echo ""|gpg -q --batch --yes -u C0FFEEABCDEF0123 --textmode --passphrase-fd 0 --pinentry-mode loopback --clearsign some_file.txt

gpg: signing failed: No passphrase given
gpg: some_file.txt: clear-sign failed: No passphrase given

To do this on Windows (no pipes):

@echo off > pass.txt && @echo on && gpg -q --batch --yes -u C0FFEEABCDEF0123 --textmode --passphrase-file pass.txt --pinentry-mode loopback --clearsign some_file.txt & del /q pass.txt

Thank you, `-u` seemed to be the part I was missing. – i-g Nov 04 '19 at 20:17 — i-g, Nov 04 '19 at 20:17

score -1 · Answer 2 · answered Oct 30 '19 at 01:02

-1

If you do not mind some python (nice for scripting).

process = subprocess.Popen(
    "gpg --batch --yes --default-key C0FFEEABCDEF0123 --clearsign some_file.txt",
    shell=True,
    stdout=subprocess.PIPE,
    stderr=subprocess.PIPE,
    stdin=subprocess.PIPE)
process.communicate(input="")
if process.returncode == 0:
    # mb return 0
else:
    # mb return -1

answered Oct 30 '19 at 01:02

Yuki

3,857
5
25
43

Thank you for posting a response. I cannot assume Python's presence in the environment. I appreciate your contribution. – i-g Oct 31 '19 at 18:36

How to prevent gpg from choosing fallback secret key, when --default-key is not found?

2 Answers2