[Throwthrowbob]

A friend of mine wanted me to send them encrypted .gpg files due to being remote but not having the files on their person. They found that downloading some of these files from failed to download.

After testing and submitting a bug report, they were told that ProtonMail assumes attachments are encrypted with the user's address keys, and tries to decrypt them (the .gpg extension is stripped when recovering/recreating the original file name).

The biggest surprise was ProtonMail had suggested for my friend to import their private key corresponding to the public key for the attachments as a workaround. My friend did not agree to do this.