From f23af0689473dae66c2b6462f44976bddb4a5ff3 Mon Sep 17 00:00:00 2001
From: Rowen S <ro@freedom.press>
Date: Fri, 6 Dec 2024 15:54:28 -0500
Subject: [PATCH] Include password-protected keyfile check in
 SDWConfigValidator.

---
 files/validate_config.py | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/files/validate_config.py b/files/validate_config.py
index dfcb7845..46318be3 100755
--- a/files/validate_config.py
+++ b/files/validate_config.py
@@ -103,14 +103,12 @@ def confirm_submission_privkey_file(self):
             gpg_env = {"GNUPGHOME": d}
             # Call out to gpg to confirm it's a valid keyfile
             try:
-                subprocess.check_call(
-                    gpg_cmd, env=gpg_env, stderr=subprocess.DEVNULL, stdout=subprocess.DEVNULL
-                )
+                subprocess.check_output(gpg_cmd, env=gpg_env, stderr=subprocess.STDOUT)
                 result = True
-            except subprocess.CalledProcessError:
-                # suppress error since "result" is checked next
-                pass
-
+            except subprocess.CalledProcessError as err:
+                if err.output and "No pinentry" in err.output.decode():
+                    raise ValidationError("PGP key is passphrase-protected.")
+                # Otherwise, continue; "result" is checked next
         if not result:
             raise ValidationError(f"PGP secret key is not valid: {self.secret_key_filepath}")