decryption outputs to stdout before verification

Werner Koch wk at gnupg.org
Fri Oct 17 15:42:25 CEST 2025 

Hi!

On Thu, 16 Oct 2025 21:37, Tennyson T Bardwell said:

> In short: I experimented and found that `gpg -d > results.txt` will
> write to `results.txt` even if the verification (signature or MDC) of
> the wrapped message fails.

Sure, gpg is a Unix tool and as such used in pipeline to process huge
amounts of data.

> I think that I understand why this happens[2], why integrity is
> important[3], and that writing to a temporary file (and checking the
> exit code before use) is the recommended way to handle this. (Although,

Right.  Before you further process the data you should verify it.  

> However, I notice that gpg's `--decrypt` flag does not have a way to
> specify the expected signer, meaning that (without parsing stderr)

You can do that with --assert-signer like:

  $ gpg -d --assert-signer 8777461F2A074EBC480D359419CC1C9E085B107A foo
  gpg: encrypted with brainpoolP384r1 key, ID 2B999FA9CE046B1B, created 2021-06-28
        "wk at gnupg.org"
  gpg: using "63113AE866587D0A" as default secret key for signing
  Today is the first day of the rest of your life.
  gpg: Signature made Fri 17 Oct 2025 03:15:13 PM CEST
  gpg:                using EDDSA key 8777461F2A074EBC480D359419CC1C9E085B107A
  gpg: Good signature from "wk at gnupg.org" [ultimate]
  gpg:                 aka "werner at eifzilla.de" [ultimate]
  gpg:                 aka "wk at g10code.com" [ultimate]
  gpg:                 aka "werner.koch at gnupg.com" [ultimate]
  gpg: asserted signer '8777461F2A074EBC480D359419CC1C9E085B107A'
  $ echo $?
  0

and here using a non-matching signer:

  $ gpg -d --assert-signer E8EC28456EA6CFD7A0B15821C1DBABEF2C2096BB foo
  gpg: encrypted with brainpoolP384r1 key, ID 2B999FA9CE046B1B, created 2021-06-28
        "wk at gnupg.org"
  gpg: WARNING: server 'keyboxd' is older than us (2.5.12-beta1 < 2.5.13-beta9)
  gpg: Note: Outdated servers may lack important security fixes.
  gpg: Note: Use the command "gpgconf --kill all" to restart them.
  gpg: using "63113AE866587D0A" as default secret key for signing
  Today is the first day of the rest of your life.
  gpg: Signature made Fri 17 Oct 2025 03:15:13 PM CEST
  gpg:                using EDDSA key 8777461F2A074EBC480D359419CC1C9E085B107A
  gpg: Good signature from "wk at gnupg.org" [ultimate]
  gpg:                 aka "werner at eifzilla.de" [ultimate]
  gpg:                 aka "wk at g10code.com" [ultimate]
  gpg:                 aka "werner.koch at gnupg.com" [ultimate]
  $ echo $?
  1

To observer more information in a scripted application use --status-fd
for example to check for a DECRYPTION_OKAY line.  You would see this line
even if you don't have the siblic key for the signature.

> 1. Am I missing something?

--assert-signer is available since 2.4.1

> 2. Do I need to manually verify that PGP blocks in my emails match the
>    sender to avoid https://articles.59.ca/doku.php?id=pgpfan:forwarding
>    or simply email sender spoofing?

I have not read that article but a good mail client should indicate
what part of the forwarded mail has been signed.

> 3. May I, respectfully, request improvement to the documentation?

There are so many use cases that a single hint does help a lot ;-)

> [3]
> I often see it recommended to sign messages before encrypting to ensure
> integrity (and, as a byproduct, authentication). It seems that this was
> so crucial that MDCs are now enabled by default. My understanding is
> that MDCs provide integrity guarantees without signing. It seems that a

An MDC implementes authenticated encryption (AE or AEAD) and for certain
use cases it is better to have integrity.  In the old PGP days we always
said, that signing is enough.  But for some uses cases authenticated
encryption is needed.

> lack of integrity allows the injection of text into the message, such as
> Efail: https://efail.de/

Actually that is about implementation bugs in MUAs which we can partly
solve with MDCs or more modern AE like OCB mode.

Authenticated Encryption does not help against malicious content.  This
can only be mitigated by  using a signature from a known key.


Shalom-Salam,

   Werner

-- 
The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 284 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20251017/f4236fe0/attachment.sig>

More information about the Gnupg-users mailing list