twiss
commented
2 years ago Thanks! Fixed by 429cac9ed4f67be5fedcad931c0b289ff9d7574f. Handling @FD: and @ENV: is left for the future :)
Closed dkg closed 2 years ago
twiss
commented
2 years ago Thanks! Fixed by 429cac9ed4f67be5fedcad931c0b289ff9d7574f. Handling @FD: and @ENV: is left for the future :)
sop-openpgpjs wants to read passwords directly from the command line, rather than treating them as indirect parameters (e.g. as a filename that contains the password).
The spec treats
PASSWORDstyle arguments as indirect parameters, not direct parameters. So with this example:The encrypted output should use a password of
monkey, not the literal stringpassword.txt.See for example, the test suite:
https://github.com/openpgpjs/sop-openpgpjs/blob/0e5ced55563d881c021436d9802dfbe21d79d069/test/run#L11
There's more discussion about indirect vs. direct PASSWORD data types in https://gitlab.com/dkg/openpgp-stateless-cli/-/issues/45 -- the spec probably should have been more explicit, so this is at least in part my fault for lack of clarity in the original draft. But putting passwords directly on the command line is bad practice in general, because command-line parameters leak to the process table, which is globally visible in many environments.
I think that sop-openpgpjs gets session-key parameters right here -- it doesn't expect a session key to appear as a string on the command line, if i'm reading
decrypt.jscorrectly, rather it reads it from a file. So the only thing to fix is the--with-passwordarguments.