时间戳

首页 > 解决方案 > How to prevent gpg from choosing fallback secret key, when --default-key is not found?

gnupg - How to prevent gpg from choosing fallback secret key, when --default-key is not found?

问题描述

I'm calling the following command from a (Perl, bash) script:

gpg --batch --yes --default-key C0FFEEABCDEF0123 --clearsign some_file.txt

But that key (C0FFEEABCDEF0123) does not exist in my keychain, because there is a typo or the key went missing, so gpg can't sign using that key.

When this happens, gpg looks in keychain, finds the "default default" key (meaning the one it would choose without --default-key) and tries to sign with that one.

This results in a password prompt, which halts the script, because that key is encrypted. (I'm expecting one that is not encrypted, because this is a toy prototype.)

How do I make gpg give up if it can't find the specified key?

How do I make it give up if the key is encrypted and it can't be used without a password?

标签: gnupg

解决方案

How do I make gpg give up if it can't find the specified key?

gpg --batch --yes -u C0FFEEABCDEF0123 --clearsign some_file.txt

gpg: skipped "C0FFEEABCDEF0123": No secret key
gpg: some_file.txt: clear-sign failed: No secret key

How do I make it give up if the key is encrypted and it can't be used without a password?

You can use the --passphrase-fd --pinentry-mode loopback arguments to provide an empty password (or perhaps change the pinentry program?).

echo ""|gpg -q --batch --yes -u C0FFEEABCDEF0123 --textmode --passphrase-fd 0 --pinentry-mode loopback --clearsign some_file.txt

gpg: signing failed: No passphrase given
gpg: some_file.txt: clear-sign failed: No passphrase given

To do this on Windows (no pipes):

@echo off > pass.txt && @echo on && gpg -q --batch --yes -u C0FFEEABCDEF0123 --textmode --passphrase-file pass.txt --pinentry-mode loopback --clearsign some_file.txt & del /q pass.txt

推荐阅读