After discussion various other wordings like:

Since the signing certificate is not marked as verified, the data cannot be trusted to originate from the right source, either. Technically, signature and data match.

I found this hard to read. Suggestion: "Technically, signature and data match, but the signing certificate is not marked as verified. The data cannot be trusted to originate from the stated source."

It occurred to me that users may find the wording "evaluated FILE with signature" strange, because if you have a paper document you check the signature and not the content of the file.
Opinions?

Test results with the same files as in my last comment and the updated patch:
In cases 2 and 4 where no compression and no --chunk-size was used, and a
later tag was modified the output file still remains.
In all other cases no output file (with or without .part) remains.

There was no veto for the removal of the color. I'll update the description.

Noteworthy changes in Version 5.0.2 (2026-03-16)

Thanks again for further testing of yours.

I tested following cases with a 100~mb file (GnuPG 2.5.20 on linux):

I'd like to push the changes above for gpg, even if it's not exactly same as what Kleo does (not perfect enough: when signature check fails, output file remains;).

I found that for a signed+encrypted file, when AEAD failure occurs in the stream of signature part (after literal data part), output file remains.
It's also the case when signature (which comes after literal data packet) is wrong.

Tested on Linux with GnuPG 2.5.20.
Testing with a small file (160~byte) did not leave a broken file. If I
understand Werner correctly it is due to libgpg-error/estream.c:
fcancel emptying the buffer if the file fits in the buffer.
Thus I tested with a 1GB file.

$ gpg -o bigfile.encr -z0 --force-ocb -c bigfile.txt

modified bigfile.txt

$ gpg -o a.out -d bigfile.encr

Output before patch:

gpg: AES256.OCB encrypted session key
gpg: encrypted with 1 passphrase
gpg: gcry_cipher_checktag failed: Checksum error
gpg: problem reading source (1069547542 bytes remaining)
gpg: handle plaintext failed: System error w/o errno
gpg: WARNING: encrypted message has been manipulated!

A broken file remains.

Additional patch for gpg:

In the comment of mine {T7873#218499}, I was wrong. The place I explained for a breakpoint was for symmetric encryption.
For public key encryption, it is:

For gpg, we need to check (and possibly fix) the cases with:

• a signed then encrypted message
• a compressed then encrypted message
• importing an encrypted keyring
• etc.

Actually this means that the BER encoding is broken. I would propose to not return an error in this case only if a new flag is passed to libksba.