Fix gpgEncryptDefault to accept LockedBuffer for data parameter

- Changed GPGEncryptFunc signature to accept *memguard.LockedBuffer instead of []byte - Updated gpgEncryptDefault implementation to use LockedBuffer - Updated all callers including tests to pass LockedBuffer - This ensures GPG encryption data is protected in memory - Fixed linter issue with line length
2025-07-15 08:46:33 +02:00
parent 292564c6e7
commit 819902f385
3 changed files with 17 additions and 9 deletions
--- a/internal/secret/pgpunlock_test.go
+++ b/internal/secret/pgpunlock_test.go
@@ -45,7 +45,10 @@ pinentry-mode loopback
 	origDecryptFunc := secret.GPGDecryptFunc

 	// Set custom GPG functions for this test
-	secret.GPGEncryptFunc = func(data []byte, keyID string) ([]byte, error) {
+	secret.GPGEncryptFunc = func(data *memguard.LockedBuffer, keyID string) ([]byte, error) {
+		if data == nil {
+			return nil, fmt.Errorf("data buffer is nil")
+		}
 		cmd := exec.Command("gpg",
 			"--homedir", gnupgHomeDir,
 			"--batch",
@@ -60,7 +63,7 @@ pinentry-mode loopback
 		var stdout, stderr bytes.Buffer
 		cmd.Stdout = &stdout
 		cmd.Stderr = &stderr
-		cmd.Stdin = bytes.NewReader(data)
+		cmd.Stdin = bytes.NewReader(data.Bytes())

 		if err := cmd.Run(); err != nil {
 			return nil, fmt.Errorf("GPG encryption failed: %w\nStderr: %s", err, stderr.String())
@@ -444,8 +447,9 @@ Passphrase: ` + testPassphrase + `
 		}

 		// GPG encrypt the private key using our custom encrypt function
-		privKeyData := []byte(ageIdentity.String())
-		encryptedOutput, err := secret.GPGEncryptFunc(privKeyData, keyID)
+		privKeyBuffer := memguard.NewBufferFromBytes([]byte(ageIdentity.String()))
+		defer privKeyBuffer.Destroy()
+		encryptedOutput, err := secret.GPGEncryptFunc(privKeyBuffer, keyID)
 		if err != nil {
 			t.Fatalf("Failed to encrypt with GPG: %v", err)
 		}