dyne
Change password input for gpg operations
Creating as draft, as this needs to be thoroughly tested and checked and isn't finished/cleaned up yet. If finished the commit messages will be updated to include the issues it closes (if any...).
Background of this PR is the issue that tomb has issues with passwords that try to use characters in a combination so they create control sequences for the shell. For example newline \n, form feed \f and tabulator \t.
This is due how the password is provided for the gpg call. gpg is used with --passphrase-fd 0 which reads the password from STDIN until it encounters a newline. Unfortunately this means the shell interprets those character sequences in the password itself. Especially fatal in case of \n as this will reduce the password to this point. Example: you want to set password test\ntest. gpg, while reading STDIN, will stop at \n and the resulting password will be only test.
Not sure yet what happens with the rest, but it does seem to be discarded in general and not added to or used as TOMBSECRET.
Two ways to avoid interpreting control sequences:
- change
--passphrase-fdto a dedicated descriptor above 2 (like--passphrase-fd 3and input password like3<<<"$password" - use
--passphrase-fileand use an anonymous pipe (how it is done with this PR)
In general the first option is similar to the current solution. But is untested if the redirect isn't visible while tracing. But I will also create a draft with that solution. Makes it easier to compare and check by others. The second option uses an option which is discouraged. But the anonymous pipe should address concerns in regard to that.
