- Encrypt a file with < somefile gpg -c > tmp.gpg
- Modify the file in some way. An attacker would preserve the headers while modifying the ciphertext.
- Decrypt the file with < tmp.gpg gpg -d > plaintext
Expected result: GPG detects the error and fails with a decryption error.
Actual result: GPG detects the error, returns the wrong plaintext, and exits with status 2 and a warning on stderr.
It should be possible to force GPG to bypass security because bit rot might occur, but this should not happen accidentally, so it should definitely not be the default. Currently, a script or application using GPG must manually check to make sure the decryption was successful and that the plaintext, which GPG happily sends to the application, is valid at all. We all know how often such manual checks are forgotten to be implemented. It should fail with an error message instead. The only way around it should be (a) very obvious parameter(s) which cannot be abbreviated to hide the fact, such as having to pass --insecure-mode --disable-MDC-check.