I tested following cases with a 100~mb file (GnuPG 2.5.20 on linux):

I'd like to push the changes above for gpg, even if it's not exactly same as what Kleo does (not perfect enough: when signature check fails, output file remains;).

I found that for a signed+encrypted file, when AEAD failure occurs in the stream of signature part (after literal data part), output file remains.
It's also the case when signature (which comes after literal data packet) is wrong.

Tested on Linux with GnuPG 2.5.20.
Testing with a small file (160~byte) did not leave a broken file. If I
understand Werner correctly it is due to libgpg-error/estream.c:
fcancel emptying the buffer if the file fits in the buffer.
Thus I tested with a 1GB file.

$ gpg -o bigfile.encr -z0 --force-ocb -c bigfile.txt

modified bigfile.txt

$ gpg -o a.out -d bigfile.encr

Output before patch:

gpg: AES256.OCB encrypted session key
gpg: encrypted with 1 passphrase
gpg: gcry_cipher_checktag failed: Checksum error
gpg: problem reading source (1069547542 bytes remaining)
gpg: handle plaintext failed: System error w/o errno
gpg: WARNING: encrypted message has been manipulated!

A broken file remains.

Additional patch for gpg:

In the comment of mine {T7873#218499}, I was wrong. The place I explained for a breakpoint was for symmetric encryption.
For public key encryption, it is:

For gpg, we need to check (and possibly fix) the cases with:

• a signed then encrypted message
• a compressed then encrypted message
• importing an encrypted keyring
• etc.

Actually this means that the BER encoding is broken. I would propose to not return an error in this case only if a new flag is passed to libksba.

Note: still happens on vsd 3.3.7

Notes: This currently relies on CryptoHelper::decryptMessage() in mimetreeparser. That in turn re-implements all the decrypt handling that we already have elsewhere, except it fails on a lot of the (many) corner cases. In Outlook, it already breaks at the message no longer being properly typed as multipart/encrypted.