feat: Improve GPG encryption and decryption handling with enhanced error messages and compression order

Author: osmontero

pkg/tar/gpg.go

@@ -10,7 +10,7 @@ import (
 
 // GPGHandler handles GPG encryption, decryption, signing, and verification
 type GPGHandler struct {
-	KeyID     string
+	KeyID       string
 	KeyringPath string
 }
 
@@ -244,8 +244,20 @@ func (r *gpgReader) Read(p []byte) (n int, err error) {
 	if err == io.EOF {
 		// Wait for process to complete
 		if waitErr := r.cmd.Wait(); waitErr != nil {
+			// Provide more helpful error messages based on common GPG errors
+			exitErr, ok := waitErr.(*exec.ExitError)
+			if ok {
+				switch exitErr.ExitCode() {
+				case 2:
+					return n, fmt.Errorf("GPG decryption failed: file may not be encrypted or wrong key used (exit code 2)")
+				case 9:
+					return n, fmt.Errorf("GPG decryption failed: no secret key available (exit code 9)")
+				default:
+					return n, fmt.Errorf("GPG process failed with exit code %d: %w", exitErr.ExitCode(), waitErr)
+				}
+			}
 			return n, fmt.Errorf("GPG process failed: %w", waitErr)
 		}
 	}
 	return n, err
-}
+}

pkg/tar/tar.go

@@ -71,15 +71,7 @@ func (ta *TarArchive) Create(sourceDir string) error {
 
 	var writer io.Writer = file
 
-	// Add gzip compression if enabled
-	var gzipWriter *gzip.Writer
-	if ta.Options.Compression {
-		gzipWriter = gzip.NewWriter(writer)
-		writer = gzipWriter
-		defer gzipWriter.Close()
-	}
-
-	// Add GPG encryption if enabled
+	// Add GPG encryption first (outermost layer)
 	var encryptedWriter io.WriteCloser
 	if ta.Options.GPGEncrypt && ta.gpg != nil {
 		encryptedWriter, err = ta.gpg.Encrypt(writer)
@@ -90,6 +82,14 @@ func (ta *TarArchive) Create(sourceDir string) error {
 		defer encryptedWriter.Close()
 	}
 
+	// Add gzip compression (middle layer)
+	var gzipWriter *gzip.Writer
+	if ta.Options.Compression {
+		gzipWriter = gzip.NewWriter(writer)
+		writer = gzipWriter
+		defer gzipWriter.Close()
+	}
+
 	tarWriter := tar.NewWriter(writer)
 	defer tarWriter.Close()
 
@@ -191,8 +191,32 @@ func (ta *TarArchive) Extract(destDir string) error {
 
 	var reader io.Reader = file
 
-	// Handle GPG decryption if encrypted
+	// Check if the file is actually encrypted before trying to decrypt
+	actuallyEncrypted := false
 	if ta.Options.GPGEncrypt && ta.gpg != nil {
+		// Read a small header to check if it's encrypted
+		header := make([]byte, 50)
+		n, err := file.Read(header)
+		if err != nil && err != io.EOF {
+			return fmt.Errorf("failed to read file header: %w", err)
+		}
+
+		actuallyEncrypted = ta.gpg.IsEncrypted(header[:n])
+
+		// Reset file position
+		file.Seek(0, 0)
+
+		if ta.Options.Verbose {
+			if actuallyEncrypted {
+				fmt.Printf("File is GPG encrypted, decrypting...\n")
+			} else {
+				fmt.Printf("File is not encrypted despite .gpg extension\n")
+			}
+		}
+	}
+
+	// Handle GPG decryption if actually encrypted
+	if actuallyEncrypted && ta.gpg != nil {
 		decryptedReader, err := ta.gpg.Decrypt(reader)
 		if err != nil {
 			return fmt.Errorf("failed to decrypt archive: %w", err)
@@ -372,12 +396,12 @@ func IsTarFile(path string) bool {
 // ParseTarOptions determines TAR options from file extension
 func ParseTarOptions(path string) TarOptions {
 	path = strings.ToLower(path)
-	
+
 	options := TarOptions{
 		Compression: strings.Contains(path, ".gz") || strings.Contains(path, ".tgz"),
 		GPGEncrypt:  strings.HasSuffix(path, ".gpg"),
 		GPGSign:     false, // This should be set explicitly by user
 	}
 
 	return options
-}
+}