Add workaround for decryption with non-encryption subkey

pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/ConsumerOptions.kt

@@ -43,6 +43,7 @@ class ConsumerOptions {
     private val decryptionPassphrases = mutableSetOf<Passphrase>()
     private var missingKeyPassphraseStrategy = MissingKeyPassphraseStrategy.INTERACTIVE
     private var multiPassStrategy: MultiPassStrategy = InMemoryMultiPassStrategy()
+    private var allowDecryptionWithNonEncryptionKey: Boolean = false
 
     /**
      * Consider signatures on the message made before the given timestamp invalid. Null means no
@@ -328,6 +329,14 @@ class ConsumerOptions {
 
     fun isIgnoreMDCErrors(): Boolean = ignoreMDCErrors
 
+    fun setAllowDecryptionWithNonEncryptionKey(allow: Boolean): ConsumerOptions = apply {
+        allowDecryptionWithNonEncryptionKey = allow
+    }
+
+    fun getAllowDecryptionWithNonEncryptionKey(): Boolean {
+        return allowDecryptionWithNonEncryptionKey
+    }
+
     /**
      * Force PGPainless to handle the data provided by the [InputStream] as non-OpenPGP data. This
      * workaround might come in handy if PGPainless accidentally mistakes the data for binary

pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt

@@ -409,6 +409,11 @@ class OpenPgpMessageInputStream(
             val decryptionKeyCandidates = getDecryptionKeys(pkesk)
             for (decryptionKeys in decryptionKeyCandidates) {
                 val secretKey = decryptionKeys.getSecretKeyFor(pkesk)!!
+                if (!secretKey.isEncryptionKey && !options.getAllowDecryptionWithNonEncryptionKey()) {
+                    LOGGER.debug(
+                        "Message is encrypted for ${secretKey.keyIdentifier}, but the key is not encryption capable.")
+                    continue
+                }
                 if (hasUnsupportedS2KSpecifier(secretKey)) {
                     continue
                 }