Page MenuHome GnuPG

No reasonable error codes on decryption failure
Closed, ResolvedPublic


Decryption with the python module around gpgme only produces very general error codes which give little or no clue to what happened.
I did 3 different tests:

  1. Decrypt and cancel the passphrase dialog of the agent
  2. Decrypt data for which you do not have the private key
  3. Decrypt truncated/corrupt data

All 3 returned a GPGMEError exception with text "Invocation of gpgme_op_decrypt_verify: GPGME: Decryption failed" and error code 152.

This is not really helpful as the three cases above should be handled differently - first one is no error, second one should show a meaningful message and only the third one really is an error.



Event Timeline

justus triaged this task as Normal priority.Jul 11 2017, 12:34 PM
justus edited projects, added gnupg (gpg22); removed Python.
justus added a subscriber: justus.

This is not specific to Python, and it may not even be a bug in GPGME, but in gpg. Needs some more investigation.

@aheinlein we need to know the gnupg version you are using with GPGME.

I am using Debian 9 with the packaged versions. For gnupg this is 2.1.18.

werner changed the task status from Open to Testing.Jul 12 2017, 6:46 PM

Thanks. Indeed we should have better error codes. However, passing all error codes from the backend to the user is not useful.

In the mentioned commit I handled the most common error codes so that you now get


which handles your first two cases. For truncated or corrupt data we keep GPG_ERR_DECRYPTION_FAILED because there are too many ways a message can be broken or truncated that a single error can't explain the details.

CANCELED is an error and treated as such. If your application does not want to treat it as an error, you need to handle this yourself. Same goes for BAD_PASSPHRASE.

Thank you very much for addressing this so quickly. I agree that corrupt data needs no further details here.

Fix was released with GPGME 1.10.0