This replaces the current PGP keysource implementation with a modernized
version the Flux project has been using[1].
It includes utilites to configure the MasterKey via other means than
environment variables, to allow SDK users to have extensive control
over what things are decrypted with. This can for example be combined
with an own keyserver implementation.
To be able to contribute it back upstream while keeping it backwards
compatible with SOPS, a couple of changes have been made compared to
Flux:
- Instead of removing the enabling of the agent while making use of
GnuPG, it can now be disabled.
- Support for OpenPGP has been added back. Note however my comments
on this in-code, as I am not quite sure to what extend it is used
at the moment, as it will not work on most setups (GnuPG <2.1 was
released in 2017.)
- The absolute paths to the pub and sec keyrings can now be configured
by SDK users. This would add more reason to keep OpenPGP around, if
they are able to produce the keyring files themselves via other means
than GnuPG.
- When a sec keyring is not detected, a lookup for the pub keyring is
made and loaded instead if found. This to account for GnuPG >=2.1
merging the sec keyring into pub keyring.
- Support for fetching keys from servers has been removed. This can be
added back if we need to keep it around for a little longer.
This has extensive test coverage for GnuPG, but would need coverage for
the re-added OpenPGP implementation before it can be deemed ready.
[1]: ffdda3f3da/internal/sops/pgp
Signed-off-by: Hidde Beydals <hello@hidde.co>
