I am trying to get a better understanding of what is going on with gpg.
If you have a file and sign it: gpg --sign file.txt
you can verify it with: gpg --verify file.txt.gpg
when you get a successful output: gpg: Signature made...
But when you sign AND encrypt a file: gpg --encrypt --sign -r test@email.com file.txt
and then run --verify on the encrypted file I get: gpg: verify signatures failed: Unexpected error
I know that I can just call --decrypt on the file and it will verify and decrypt it, but what if I want to verify only?
I figured out the answer to this and then some. So I am going to add some additional information for clarity.
First of all, I realize based on the last line to this answer that gpg uses SIGN THEN ENCRYPT. Which means calling --verify or any variation to verify on an encrypted file will just output gpg: verify signatures failed: Unexpected error. This happens because the signature is "hidden" in encryption, so when you try to call --verify on the file, it will not see a signature.
Secondly, the --decrypt flag will both decrypt the file AND if the file is signed, verify it too.
Here is what --decrypt is doing. It looks at your default secret keyring secring.kbx in ~/.gnupg to use a secret key for decrypting the file. Then after it is decrypted, it looks at your default public keyring pubring.kbx in the folder ~/.gnupg and tries to verify the signature on the file, if it has one.
If it has no signature, it will just decrypt the file.
If it has a signature, but you don't have the public key, it will decrypt the file but it will fail to verify the signature.
If it has a signature and you have the public key, it will decrypt and verify.
With that said, there is no reason to verify a signed file BEFORE decrypting it.
Thirdly, as an added bonus, you can also specify a keyring you want to use for decrypting and verification. Say you want to use a temporary keyring to verify signatures or for what ever reason you want a temporary keyring to decrypt the message too.
You can specify the keyrings for --decrypt to use with the following command:
gpg --secret-keyring path/to/temp/secring.kbx --keyring path/to/temp/pubring.kbx --decrypt file.txt.gpg
This command will look for the secret ring and public ring at the specified paths in order to use those rings for decryption and verification instead of the default rings found in ~/.gnupg. Want to use a default ring with a temp ring? Just omit the flag and path to the ring you want defaulted.
All in all, for encrypted and signed files, if you want to decrypt and verify that file, you need to make sure that the private key for decryption is in your secret keyring and the public key for verification is in your public keyring.