iostreams icon indicating copy to clipboard operation
iostreams copied to clipboard
verified publisher icon reidmorrison

Allow customizing of decryption command flags

Open synth opened this issue 5 months ago • 0 comments

Context: The are some legacy/enterprise systems that encrypt files without MDC (modification detection code) protection as part of the PGP standard despite it being around for over 2 decades. This is the case with Workday's PGP implementation as of writing, August 2025.

When decryption tries to proceed with a file that lacks MDC protect, the error gpg: decryption forced to fail! occurs and decryption fails. GPG permits bypassing this with the flag --ignore-mdc-error. The Workday issue is further discussed here: https://www.reddit.com/r/workday/comments/1fsle5n/enabling_mdc_protection_for_pgp_encryption_in/

It would be great if the command line flags here were customizable so we can include --ignore-mdc-error when we need to.

Workaround:

You can actually just prepend the filename argument with --ignore-mdc-error and that seems to work. It's just hacky. I have implemented the following in wrapper service class I have in my application

def decrypt_file(encrypted_file_path, ignore_mdc: false)
      if ignore_mdc
        encrypted_file_argument = "--ignore-mdc-error #{encrypted_file_path}"
      else
        encrypted_file_argument = encrypted_file_path
      end

      IOStreams::Pgp::Reader.file(encrypted_file_argument, passphrase:) do |reader|
        # Use binmode to handle binary data properly
        temp_file.binmode
        temp_file.write(reader.read)
      end
end

synth avatar Aug 02 '25 23:08 synth