Support key fetching from keybase.io

[joemiller]

It would be great to be able to do this:

$ sops -r --add-pgp keybase:joemiller example.yaml

The GPG key for keybase.io user 'joemiller' would be fetched via HTTPS from https://keybase.io/joemiller/pgp_keys.asc

[joemiller]

Also

export SOPS_PGP_FP="keybase:joemiller,keybase:foo,keybase:bar"

[jvehent]

What should this do under the hood? Download the public key into the pubring of the user, like gpg --recv-keys would, then use the fingerprint to create the document? Or should it bypass the pubring entirely (which is significantly more complex).

[joemiller]

@jvehent That is a good question and I don't know the right answer. If implementation is easier I think downloading into the user's pubring would be OK. It should also probably check and update the key if it has changed.

[jvehent]

I think downloading into the pubring is the most logical thing to do, but it might require calling out to the gpg binary which I really don't like (it's not portable). We might also want to support other providers. Github exposes public keys as well:

$ curl -s -H "Accept: application/vnd.github.cryptographer-preview" https://api.github.com/users/jvehent/gpg_keys |jq -r '.[].public_key'
xsBNBFF/69EBCADe79sqUKJHXTMW3tahbXPdQAnpFWXChjI9tOGbgxmse1eEGjPZQPFOPgu3O3iij6UOVh+LOkqccjJ8gZVLYMJzUQC+2RJ3jvXhti8xZ1hs2iEr65RjzUklHVZguf2Zv2X9Er8rnlW5xzplsVXNWnVvMDXyzx0ufC00dDbCwahLQnv6Vqq8BdUCSrvo/r7oAims8SyWE+ZObC+rw7u01Sut0ctnYrvklaM10+zkwGNOTszrduUykJUYMoFPU3I+QhaTw1K/nhs5lSgegxDUlgXI39I8wlRp/fynghRWPtYnMSMsbZrPtpSCflNGEStVBdVHZvj0T1fCist59zh2IqeHABEBAAE=