stderr bad

cloudinit/gpg.py

@@ -101,6 +101,19 @@ def decrypt(self, data: str, *, require_signature=False) -> str:
         :return: decrypted data
         :raises: ProcessExecutionError if gpg fails to decrypt data
         """
+        if require_signature:
+            try:
+                subp.subp(
+                    ["gpg", "--verify"],
+                    data=data,
+                    update_env=self.env,
+                )
+            except subp.ProcessExecutionError as e:
+                if e.exit_code == 2:
+                    raise GpgVerificationError(
+                        "Signature verification failed"
+                    ) from e
+                raise
         result = subp.subp(
             [
                 "gpg",
@@ -109,10 +122,6 @@ def decrypt(self, data: str, *, require_signature=False) -> str:
             data=data,
             update_env=self.env,
         )
-        if require_signature and "gpg: Good signature" not in result.stderr:
-            raise GpgVerificationError(
-                "Signature verification required, but no signature found"
-            )
         return result.stdout
 
     def dearmor(self, key: str) -> str:

tests/integration_tests/userdata/test_pgp.py

@@ -353,7 +353,4 @@ def test_encrypted_message_but_required_signature(
 
     result = client.execute("cloud-init status --format=json")
     assert result.failed
-    assert (
-        "Signature verification required, but no signature found"
-        in result.stdout
-    )
+    assert "Signature verification failed" in result.stdout