Passphrase does not matter when using python-gnupg

Question

I am trying to create a simple script which can be used to encrypt and decrypt files. It does however not seem to matter what passphrase is being used. As an example:

gen_key.py

import gnupg
import os
gpg = gnupg.GPG(gnupghome='gnupg')

gpg.encoding = 'utf-8'

input_data = gpg.gen_key_input(
        name_email = 'test@test.com',
        passphrase = 'mypassphrase',
        key_type = 'RSA',
        key_length = 1024)

key = gpg.gen_key(input_data)

print(key)

encrypt.py

import gnupg
import os

gpg = gnupg.GPG(gnupghome = 'gnupg')

with open('test.txt', 'rb') as f:
        status = gpg.encrypt_file(f, recipients = ['test@test.com'], output='test.encrypted')

print(status.ok)

decrypt.py

import gnupg
import os

gpg = gnupg.GPG(gnupghome='gnupg')

with open('test.encrypted', 'rb') as f:
        status = gpg.decrypt_file(f, passphrase = 'wrongpassphrase', output = 'test2.txt')

print(status.ok)

Note that we use the wrong passphrase in decrypt.py.

However, decrypt.py still manages to decrypt the file, even though we put in the wrong passphrase. Does anybody know why this is? And an even better question: how could one avoid this?

Answer 1

I encountered with the same kind of problem. In my case I was not prompted to enter the passphrase. So, running

export GPG_TTY=$(tty)

solved my problem.

Answer 2

It appears that the GPG-agent is automatically started by GPG and temporarily stores passphrases in memory for a specified amount of time. You can turn this of using this command in the terminal:

echo 'max-cache-ttl:0:0' | GNUPGHOME="${GNUPGHOME:-path/to/directory}" gpgconf --change-options gpg-agent

This sets the amount of seconds the gpg agent should keep the passphrase in memory to 0. If you wish to change this value, you can change the last zero in 'max-cache-ttl:0:0' to whatever value you desire.