From 40b9c12200a769540cd029dbbfd971bc93ce58bf Mon Sep 17 00:00:00 2001
From: Felix Fontein <felix@fontein.de>
Date: Thu, 27 Feb 2025 21:25:02 +0100
Subject: [PATCH] Check GnuPG decryption result for non-empty size.

Signed-off-by: Felix Fontein <felix@fontein.de>
---
 pgp/keysource.go | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/pgp/keysource.go b/pgp/keysource.go
index 1646aceaa..65769a3bf 100644
--- a/pgp/keysource.go
+++ b/pgp/keysource.go
@@ -428,7 +428,17 @@ func (key *MasterKey) decryptWithGnuPG() ([]byte, error) {
 		return nil, fmt.Errorf("failed to decrypt sops data key with pgp: %s",
 			strings.TrimSpace(stderr.String()))
 	}
-	return stdout.Bytes(), nil
+	result := stdout.Bytes()
+	if len(result) == 0 {
+		// This can happen if an older GnuPG version is used to decrypt a key encrypted with a
+		// newer GnuPG version that used an AEAD cipher, which the old version does not support.
+		// Apparently some GnuPG versions drop the unspuported packets, which results in a decrypted
+		// data of 0 bytes, and returns nothing with exit code 0.
+		//
+		// (See https://github.com/getsops/sops/issues/896#issuecomment-2688079300 for more infos.)
+		return nil, fmt.Errorf("failed to decrypt sops data key with pgp: zero bytes returned")
+	}
+	return result, nil
 }
 
 // NeedsRotation returns whether the data key needs to be rotated