In gpg 2.1, if a user imports a secret key file that contains a locked key, they
get prompted by the agent for the password for that key. Failure to enter the
password for the key (or failure of pinentry, etc) results in no keys imported,
and a termination of the entire import afaict (further secret keys are not
imported).
However, if the user uses --batch --import, or if gpg is just migrating their
existing secring.gpg, the keys are imported silently, and their passphrases are
left unchanged.
It's not clear to me what the advantage is of prompting for the passphrase upon
import.
Even if there is a reason to prompt for the passphrase, it's not clear that a
failure to enter the passphrase correctly (or a failure to launch pinentry)
should abort the import, instead of proceeding as --batch or as the normal
migration proceeds.
I think the simplest thing to do is to not prompt for the passphrase upon import
at all, and just place the secret key directly into ~/.gnupg/private-keys-v1.d