legoktm
commented
11 months ago s/GPG/PGP/ now that we're using Sequoia on the server side. I would probably skip "and that the sd-gpg vm has the private key to decrypt it" - it's possible that a message was encrypted with --throw-keyids which would make it impossible to check a file is encrypted for a specific key short of actually trying to decrypt it.
We should consider adding validation of the PGP payload downloaded from the SecureDrop server in sd-app before sending to sd-gpg.
This will ensure the payload is valid, and that the sd-gpg vm has the private key to decrypt it.
(edited by @redshiftzero to remove reference to script that is gone after https://github.com/freedomofpress/securedrop-workstation/pull/194 was merged)