Originally reported as a Fedora bug https://bugzilla.redhat.com/show_bug.cgi?id=2054964
Encrypting&signing file with forced aead (--force-aead) prints the OCB modes will be used, but decrypting claims the CFB mode is used:
$ gpg -u testkey --force-aead -vsc foo gpg: AES256.OCB encryption will be used $ gpg -vd foo.gpg gpg: AES256.CFB encrypted data
After some digging into the code, it turns out the symkey packets created by the function sign_symencrypt_file() are a bit different than the ones created with encrypt_simple() (v4 only, no information about aead). After changing the function to use v5 and propagate the aead the tools report correct modes:
gpg2 -v -d the_file.enc gpg: AES256.OCB encrypted data
Otherwise, the --list-packets shows even with the old version that the AEAD encrypted packet is correctly used:
# off=15 ctb=d4 tag=20 hlen=3 plen=194 new-ctb :aead encrypted packet: cipher=9 aead=2 cb=16 length: 194
and the decryption looks like working just fine regardless the claims in the verbose logs.
I am not sure if there are more places where such packets are constructed that are worth checking or if there would be a good place to write some sanity/regression test to make sure this works as expected, but I can have a look into that later.