PGP encrypted messages aren't authenticated by default. Even when you add signing, however, they're vulnerable to a "surreptitious forwarding attack". Normally when you read an encrypted message you know that you were the intended recipient, because the message is encrypted to your public key. When that message is also signed, you technically still know that it was encrypted for you, but you don't know whether the encrypter and the signer were the same person. If Alice signs-and-encrypts a message to Bob, Bob can decrypt the message and then reencrypt the same signed message for Charlie. The result is a message that appears to be from Alice to Charlie, even though that might not be how Alice intended it.
If you run
gpg --decrypt on a corrupt message, it will print the plaintext to
stdout, and you'll only find out if the message is bad at the end, after
you've streamed out unsigned data. Try it on this message signed by Jack's
-----BEGIN PGP MESSAGE----- Version: GnuPG v2 kA0DAAIBcYdraK1ILTIBy5liAFaqa7BKb2huIEphY29iIEppbmdsZWhlaW1lciBT Y2htaWR0LApIaXMgbmFtZSBpcyBteSBuYW1lIHRvby4KV2hlbmV2ZXIgd2UgZ28g b3V0LApUaGUgcGVvcGxlIGFsd2F5cyBzaG91dCwKVGhlcmUgZ29lcyBBIE1BTiBJ TiBUSEUgTUlERExFIE9IIFNISUlJMTF0IQqJARwEAAECAAYFAlaqa7AACgkQcYdr aK1ILTK6Ewf9GIIzBmtGuNeJXUGAoDbG5mmVDyMwpu3i72OwOfoSo+4GI6mT/FuV PKh7HCKwglmTuO2oazg0sUnoktjmHxdNQuJZ+6ii/5xXb80XEHFECFDClrjwbkeE +3irJDrpnmuQzRyJVOYh+fr7dxrlN7pgMdjlkbAgWnATZ+k1zf8z40p8SANNpXHt 9yie6nuzKUd1LUujPa4sz6BfNW0Clcp3c0XFeU2je//4TcZ+4/Ql2B1/MdzqF4+G TPh+B1L8k9F9TNgyh9lXyez90oRLEvw3+3o9+CvMvQb6Gb8aR+eW/rE+wabdiwSY qfLaI0VHvwNCa1NV/5MmX6UKUzNV2c4vcAo= =uIW7 -----END PGP MESSAGE-----
Even with the
--hidden-recipient flag, RSA encryption leaks some information
about the recipient's key.
Almost all apps, email clients, chat clients, and web pages do post-processing on the text people post. PGP's whitespace pattern, use of hyphens and slashes, and header lines are not friendly. You shouldn't have to edit a message by hand before passing it off to your crypto program.
PGP's strategy of composable, nested streams is a headache to implement and allows attackers to craft messages that explode memory usage. There are workarounds, but the underlying problem is that the spec gives message crafters too much flexibility.
The spec requires key fingerprints to be output by SHA1. That hasn't bitten PGP yet but who knows. And for whatever reason, modern PGP clients will still accept signatures and keys that use SHA1, often with dire consequences.