correctly detect that key is not trusted before encrypting. Doc says: "gpg just prints a message to the console, but does not provide a specific error indication that the Python wrapper can use." Fixes #8040. See #8041

src/common/gnupg.py

@@ -1094,7 +1094,7 @@ class GPG(object):
                 getattr(result, keyword)(L)
         return result
 
-    def list_keys(self, secret=False):
+    def list_keys(self, secret=False, keys=None):
         """ list the keys currently in the keyring
 
         >>> import shutil
@@ -1116,6 +1116,9 @@ class GPG(object):
             which='secret-keys'
         args = ["--list-%s" % which, "--fixed-list-mode", "--fingerprint",
                 "--with-colons"]
+        if keys:
+            for key in keys:
+                args.append(key)
         p = self._open_subprocess(args)
         return self._get_list_output(p, 'list')
 

src/common/gpg.py

@@ -54,12 +54,16 @@ if HAVE_GPG:
                 for key in recipients:
                     if key not in self.always_trust:
                         trust = False
+            if not trust:
+                # check that we'll be able to encrypt
+                result = super(GnuPG, self).list_keys(recipients,
+                    keys=recipients)
+                for key in result:
+                    if key['trust'] not in ('f', 'u'):
+                        return '', 'NOT_TRUSTED'
             result = super(GnuPG, self).encrypt(str_, recipients,
                 always_trust=trust, passphrase=self.passphrase)
 
-            if result.status == 'invalid recipient':
-                return '', 'NOT_TRUSTED'
-
             if result.ok:
                 error = ''
             else: