I am trying to automate backups with duplicity, but when I test the result, I get
gpg: public key decryption failed: bad passphrase
I want to check whether the passphrase I am using is actually the passphrase associated with the corresponding gpg secret-key, but I can’t see anyway in the gpg command-line options to say “Don’t encrypt or decrypt anything. Just confirm I am using the right passphrase.”
This suggests that maybe I am (yet again) misunderstanding Gnu Privacy Guard. (It has a predilection for taunting me until I cry.)
Does it make sense to ask gpg to verify a passphrase? If so, how?
There is no in-built method for doing this, but it is simple enough to create a test that doesn’t modify anything and allows you to just check your passphrase.
You didn’t specify, so I will assume you are using GnuPG version less than v2 and are on Linux with Bash for your commandline interpreter.
I will give the command here and below I will explain what each part does – (note: the following is for GnuPG series version 1, see below for GnuPG series v2)
echo "1234" | gpg --no-use-agent -o /dev/null --local-user <KEYID> -as - && echo "The correct passphrase was entered for this key"What that does is first, pipe some text to sign to GnuPG with
echo "1234" |– because we don’t really want to sign anything, this is just a test, so we will sign some useless text.Next, we tell gpg to not use the key agent with
--no-use-agent; this is important later because, depending on your key agent, it may not return "0" on success, and that is all we want to do – verify success of your passphrase.Next, we tell gpg to put the signed data directly into the
/dev/nullfile, meaning we discard it and not write the result to the terminal — NOTE: if you are not using some variant of Linux/Unix, this file may not exist. On windows you may have to just allow it to write the signed data to the screen by just omitting the-o /dev/nullpart.Next, we specify the key we want to do our test with by using
--local-user 012345. You can use the KeyID for maximum specificity, or use a username, whichever best suites your needs.Next we specify
-as, which enables ascii output mode, and sets the context mode for signing. The-afterwards just tells GnuPG to get the data to be signed from standard-in, which is the very first part of the command we gaveecho "1234" |.And last, we have
&& echo "A message that indicates success"— the "&&" means, if the previous command was successful, print this message. This is just added for clarity, because the success of the command above would otherwise be indicated by no output at all.I hope that is clear enough for you to understand what is going on, and how you can use it do the testing you want to do. If any part is unclear or you do not understand, I will be glad to clarify.
[EDIT] – If you are using GnuPG v2, the above command will need to be modified slightly, like so:
echo "1234" | gpg2 --batch --passphrase-fd 1 --local-user <KEYID> -as - > /dev/null && echo "The correct passphrase was entered for this key"The reason being, GnuPG v2 expects the passphrase to be retrieved via an agent, so we cannot disable the use of the agent with
--no-use-agentand have the desired effect; instead we need to tell GnuPG v2 that we want to run a "batch" process, and retrieve the passphrase from STDIN (standard in) by using the option--passphrase-fd 1.Note: Don’t use
-o /dev/nullas it will delete character device and replace it with an empty file