diff --git a/pgp/keysource.go b/pgp/keysource.go
index b968a3046..9a5bec5da 100644
--- a/pgp/keysource.go
+++ b/pgp/keysource.go
@@ -131,7 +131,7 @@ func (d GnuPGHome) Import(armoredKey []byte) error {
 	}
 
 	args := []string{"--batch", "--import"}
-	err, _, stderr := gpgExec(d.String(), args, bytes.NewReader(armoredKey))
+	_, stderr, err := gpgExec(d.String(), args, bytes.NewReader(armoredKey))
 	if err != nil {
 		return fmt.Errorf("failed to import armored key data into GnuPG keyring: %s", strings.TrimSpace(stderr.String()))
 	}
@@ -318,7 +318,7 @@ func (key *MasterKey) encryptWithGnuPG(dataKey []byte) error {
 		fingerprint,
 		"--no-encrypt-to",
 	}
-	err, stdout, stderr := gpgExec(key.gnuPGHomeDir, args, bytes.NewReader(dataKey))
+	stdout, stderr, err := gpgExec(key.gnuPGHomeDir, args, bytes.NewReader(dataKey))
 	if err != nil {
 		return fmt.Errorf("failed to encrypt sops data key with pgp: %s", strings.TrimSpace(stderr.String()))
 	}
@@ -407,7 +407,7 @@ func (key *MasterKey) decryptWithGnuPG() ([]byte, error) {
 	args := []string{
 		"-d",
 	}
-	err, stdout, stderr := gpgExec(key.gnuPGHomeDir, args, strings.NewReader(key.EncryptedKey))
+	stdout, stderr, err := gpgExec(key.gnuPGHomeDir, args, strings.NewReader(key.EncryptedKey))
 	if err != nil {
 		return nil, fmt.Errorf("failed to decrypt sops data key with pgp: %s",
 			strings.TrimSpace(stderr.String()))
@@ -564,7 +564,7 @@ func fingerprintIndex(ring openpgp.EntityList) map[string]openpgp.Entity {
 // gpgExec runs the provided args with the gpgBinary, while restricting it to
 // homeDir when provided. Stdout and stderr can be read from the returned
 // buffers. When the command fails, an error is returned.
-func gpgExec(homeDir string, args []string, stdin io.Reader) (err error, stdout bytes.Buffer, stderr bytes.Buffer) {
+func gpgExec(homeDir string, args []string, stdin io.Reader) (stdout bytes.Buffer, stderr bytes.Buffer, err error) {
 	if homeDir != "" {
 		args = append([]string{"--homedir", homeDir}, args...)
 	}
diff --git a/pgp/keysource_test.go b/pgp/keysource_test.go
index 187a75b1d..9de3b1af1 100644
--- a/pgp/keysource_test.go
+++ b/pgp/keysource_test.go
@@ -56,14 +56,14 @@ func TestGnuPGHome_Import(t *testing.T) {
 	assert.NoError(t, err)
 	assert.NoError(t, gnuPGHome.Import(b))
 
-	err, _, stderr := gpgExec(gnuPGHome.String(), []string{"--list-keys", mockFingerprint}, nil)
+	_, stderr, err := gpgExec(gnuPGHome.String(), []string{"--list-keys", mockFingerprint}, nil)
 	assert.NoErrorf(t, err, stderr.String())
 
 	b, err = os.ReadFile(mockPrivateKey)
 	assert.NoError(t, err)
 	assert.NoError(t, gnuPGHome.Import(b))
 
-	err, _, stderr = gpgExec(gnuPGHome.String(), []string{"--list-secret-keys", mockFingerprint}, nil)
+	_, stderr, err = gpgExec(gnuPGHome.String(), []string{"--list-secret-keys", mockFingerprint}, nil)
 	assert.NoErrorf(t, err, stderr.String())
 
 	assert.Error(t, gnuPGHome.Import([]byte("invalid armored data")))
@@ -271,7 +271,7 @@ func TestMasterKey_encryptWithGnuPG(t *testing.T) {
 		args := []string{
 			"-d",
 		}
-		err, stdout, stderr := gpgExec(key.gnuPGHomeDir, args, strings.NewReader(key.EncryptedKey))
+		stdout, stderr, err := gpgExec(key.gnuPGHomeDir, args, strings.NewReader(key.EncryptedKey))
 		assert.NoError(t, err, stderr.String())
 		assert.Equal(t, data, stdout.Bytes())
 	})
@@ -321,7 +321,7 @@ func TestMasterKey_Decrypt(t *testing.T) {
 	fingerprint := shortenFingerprint(mockFingerprint)
 
 	data := []byte("this data is absolutely top secret")
-	err, stdout, stderr := gpgExec(gnuPGHome.String(), []string{
+	stdout, stderr, err := gpgExec(gnuPGHome.String(), []string{
 		"--no-default-recipient",
 		"--yes",
 		"--encrypt",
@@ -403,7 +403,7 @@ func TestMasterKey_decryptWithOpenPGP(t *testing.T) {
 		fingerprint := shortenFingerprint(mockFingerprint)
 
 		data := []byte("this data is absolutely top secret")
-		err, stdout, stderr := gpgExec(gnuPGHome.String(), []string{
+		stdout, stderr, err := gpgExec(gnuPGHome.String(), []string{
 			"--no-default-recipient",
 			"--yes",
 			"--encrypt",
@@ -451,7 +451,7 @@ func TestMasterKey_decryptWithGnuPG(t *testing.T) {
 		fingerprint := shortenFingerprint(mockFingerprint)
 
 		data := []byte("this data is absolutely top secret")
-		err, stdout, stderr := gpgExec(gnuPGHome.String(), []string{
+		stdout, stderr, err := gpgExec(gnuPGHome.String(), []string{
 			"--no-default-recipient",
 			"--yes",
 			"--encrypt",