From 6a251287916a8b5a18a54b24bdcff2174574d8f6 Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@linux.vnet.ibm.com>
Date: Wed, 31 Jul 2019 12:31:16 -0400
Subject: [PATCH 1/2] gpg: Pass the passphrase to the gpg2 tool using a file

Rather than passing the passphrase via command line write it into
a temp. file and pass the name of the file using passphrase-file option.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 pkg/encryption/gpg.go | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/pkg/encryption/gpg.go b/pkg/encryption/gpg.go
index b525d35bc..88be15e52 100644
--- a/pkg/encryption/gpg.go
+++ b/pkg/encryption/gpg.go
@@ -131,7 +131,16 @@ func (gc *gpgv2Client) GetGPGPrivateKey(keyid uint64, passphrase string) ([]byte
 		args = append(args, []string{"--homedir", gc.gpgHomeDir}...)
 	}
 
-	args = append(args, []string{"--pinentry-mode", "loopback", "--batch", "--passphrase", passphrase, "--export-secret-key", fmt.Sprintf("0x%x", keyid)}...)
+	tempfile, err := ioutil.TempFile("", "gpg2*")
+	if err != nil {
+		return nil, errors.Wrapf(err, "could not create temporary file")
+	}
+	defer os.Remove(tempfile.Name())
+	if err := ioutil.WriteFile(tempfile.Name(), []byte(passphrase), 0600); err != nil {
+		return nil, errors.Wrapf(err, "could not write to temporary file")
+	}
+
+	args = append(args, []string{"--pinentry-mode", "loopback", "--batch", "--passphrase-file", tempfile.Name(), "--export-secret-key", fmt.Sprintf("0x%x", keyid)}...)
 
 	cmd := exec.Command("gpg2", args...)
 

From 5cf79913e4c3192459277a2ca85b42a156b46b76 Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@linux.vnet.ibm.com>
Date: Wed, 31 Jul 2019 16:03:44 -0400
Subject: [PATCH 2/2] gpg: Use a Pipe() rather than a file

Use a Pipe() rather than a file to pass the passphrase to the command
line tool. Pass the file descriptor to read the passphrase from as fd '3'.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 pkg/encryption/gpg.go | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/pkg/encryption/gpg.go b/pkg/encryption/gpg.go
index 88be15e52..821525e83 100644
--- a/pkg/encryption/gpg.go
+++ b/pkg/encryption/gpg.go
@@ -131,18 +131,24 @@ func (gc *gpgv2Client) GetGPGPrivateKey(keyid uint64, passphrase string) ([]byte
 		args = append(args, []string{"--homedir", gc.gpgHomeDir}...)
 	}
 
-	tempfile, err := ioutil.TempFile("", "gpg2*")
+	rfile, wfile, err := os.Pipe()
 	if err != nil {
-		return nil, errors.Wrapf(err, "could not create temporary file")
-	}
-	defer os.Remove(tempfile.Name())
-	if err := ioutil.WriteFile(tempfile.Name(), []byte(passphrase), 0600); err != nil {
-		return nil, errors.Wrapf(err, "could not write to temporary file")
+		return nil, errors.Wrapf(err, "could not create pipe")
 	}
+	defer func() {
+		rfile.Close()
+		wfile.Close()
+	}()
+	// fill pipe in background
+	go func(passphrase string) {
+		wfile.Write([]byte(passphrase))
+		wfile.Close()
+	}(passphrase)
 
-	args = append(args, []string{"--pinentry-mode", "loopback", "--batch", "--passphrase-file", tempfile.Name(), "--export-secret-key", fmt.Sprintf("0x%x", keyid)}...)
+	args = append(args, []string{"--pinentry-mode", "loopback", "--batch", "--passphrase-fd", fmt.Sprintf("%d", 3), "--export-secret-key", fmt.Sprintf("0x%x", keyid)}...)
 
 	cmd := exec.Command("gpg2", args...)
+	cmd.ExtraFiles = []*os.File{rfile}
 
 	return runGPGGetOutput(cmd)
 }