When using PGP Command Line 10.5 to decrypt files, the operation may return a non-zero exit code (3090) and report a bad signature, even if the decrypted output file is successfully created. This behavior is a functional change in version 10.5 and later, where signature verification failures are treated as hard failures to ensure data integrity.

• PGP Command Line 10.5 and later
• All supported Operating Systems

In PGP Command Line 10.5, the --decrypt command logic was updated. If a file is encrypted and signed, but the signing key is missing from the local keyring or is not trusted, PGP Command Line triggers a failure status. In earlier versions, the product would often decrypt the file and return a success code (0) while simply noting the signature verification issue in the logs.

Symptoms: Decryption command fails with the following errors:

• 3037:cannot verify signature
• 3039:signing key 0x########
• 3090:operation failed, item not found (Exit code 3090 returned to the shell)

To resolve this issue, perform one of the following:

1. Trust the Signing Key: Import the sender's public key (and all subkeys) and set the trust level to "Trusted" or "Marginal" on the local keyring.
2. Verify Output Existence: If the signature verification is not critical for the workflow, adjust automation scripts to verify the creation and size of the output file regardless of the 3090 exit code.
3. Disable Signature Requirement: Request the sender to encrypt the file without a digital signature if non-repudiation is not required.
4. Use Detailed Logging: Run the command with --verbose and --temp-cleanup off to confirm that the file content is decrypted successfully before the signature check fails.