27

Yes, I know it is a step into a lesser secure system, but the current setting makes it reasonable (the key is not important, but the signing has to be automatized).

Google results say this:

  1. List the keys with a gpg --list-keys
  2. Edit the key with a gpg --edit-key C0DEEBED....
  3. A gpg command line console starts, there a passwd command changes the passphrase
  4. Giving the password twice (in my case, simple enter) changes the key.

However, it doesn't work, because gpg2 simply doesn't allow an empty password.

What to do?

peterh
  • 9,731
  • Is there a reason why using gpg-agent will not work for automating gpg signing tasks? – Deathgrip Jul 18 '17 at 18:26
  • 2
    @Deathgrip Because the key has also a passphrase. Thus, in the case of signing anything, first this passphrase has to be given. It is an unavoidable human interaction. Thus, it can't be automatized. To automatize the gpg signing, I have to remove the passphrase from the key pair. Gpg can create key pairs without passphrase, and it can also change the passphrase of an existing key pair. The goal is now to remove the existing passphrase from the key pair, making it into a passphrase-less, unprotected one. (Note, file permissions still are still protecting the key pair.) – peterh Jul 18 '17 at 18:48
  • 1
    Not completely automated, but you can manually start and seed the agent and use it until the machine reboots or your cache's expire. I set max-cache-ttl and default-cache-ttl to 31536000 (365 days). Then "seed" the agent with a command similar to echo | gpg -sa -u <keyid> >/dev/null. A separate script could launch, source the environment file created when starting the agent, then sign a file. In the script, execute gpg with --batch mode and it should return an error if a password is required. Send an alert if that happens. I do a few things like this utilizing ssh and gpg agents. – Deathgrip Jul 18 '17 at 21:47
  • what's the purpose of a key password then if you can just remove it? – AnonymousLurker Nov 27 '18 at 00:34
  • @AnonymousLurker In general, it exists in the key as some hash or salt. Thus, you can't so easily remove it, it requires a dictionary attack to do that. In the special case of this question, the password is an obstacle to automatize the key-based encryption. – peterh Nov 27 '18 at 00:37

5 Answers5

36

As of gpg version 2.4.3, gpg --edit-key <keyid> passwd seems to work fine for removing a passphrase.

Issue the command, then provide your current passphrase and then the new one. Just type Enter for no passphrase. Then type quit to quit the program.

8
gpg --pinentry-mode loopback --passwd KEY

Enter the original password, but press enter 3 times instead of just once (original password, new password, then confirming new password). The problem was pinentry itself, so loopback mode just removes it from the equation. This should work with all versions of gpg AFAIK.

6

With pinentry-0.8.1 (and gnupg2-2.0.22) on Centos 7 I was able to remove the passphrase from the secret key by not specifying a new password; pinentry did whine and warn about the blank password but both the console and GTK pinentry programs had a "Take this one anyway" prompt that resulted in a password-free secret key.

On the other hand, this attempt failed as the then imported secret key is marked as unusable:

gpg --export-options export-reset-subkey-passwd --export-secret-subkeys > x
thrig
  • 34,938
  • I dug sources a lot, I tried pinentry (completely undocumented command line interface), I used gpg --change-passphrase, I commented out "use agent" in ~/.gnupg/gpg.conf, and somehow, somewhere it started to work. I am too disappointed to invest even a little second into this any more. But thank you very much. – peterh Jul 18 '17 at 23:46
  • 1
    Yeah, I'm using gpg 1.4 elsewhere as gpg2 annoys me too much. – thrig Jul 19 '17 at 00:05
3

Well, I succeed in removing passphrase or creating new key without passphrase by using pinentry-gtk-2 as the pinentry program. Here is what I have done:

There is no config file in ~/.gnupg. I created a symbolic link from /usr/bin/pinentry to /usr/bin/pinentry-gtk-2

 sudo ln -s /usr/bin/pinentry-gtk-2 /usr/bin/pinentry

It also worked over an SSH connection with X11 forwarding.

  • Welcome on the Unix SE! I fighted a lot with the ncurses-based pinentry, but without success. – peterh Oct 01 '18 at 21:32
1

I was able to do this using Kleopatra. In the application right-click on the keypair you want to remove the passphrase from. Click Change passphrase.... Enter the passphrase in the pop up window. In the next pop up window leave both inputs empty and click Ok. click the option similar to Yes, protection is not needed. These last two pop ups may show up a couple times as confirmation. Just leave the inputs for new passphrase blank and click Ok. Then you will receive a confirmation that "The passphrase has been successfully reset".

Bahman.A
  • 111