gpg: add --passphrase-env VARNAME to read passphrase from environment
* g10/keydb.h: declare set_passphrase_from_environment_variable() * g10/passphrase.c: set_passphrase_from_environment_variable() new function * g10/gpg.c: add new --passphrase-env argument, handle it.
There are problems or difficulties (to varying degrees) with all of
the techniques available for sending a passphrase directly to the
GnuPG process when --pinentry-mode=loopback:
- Passphrases on the command line often leak into the process table.
- Passphrases in a file often leak into the disk.
- Using an extra file descriptor to send a passphrase works well on platforms that make it easy to allocate and use extra file descriptors, but is pretty awkward on platforms that don't facilitate this.
So this patch adds a new form of passphrase-passing, using an
environment variable. In POSIX shell, this looks like (for example):
mypass="IUuKctdEhH8' gpg --batch --pinentry-mode=loopback\ --passphrase-env=mypass --decrypt < message.txt
Hopefully, this is easier to use than --passphrase-fd on platforms or
language toolkits that don't facilitate file descriptor manipulation.
- Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>