SSH/GPG keys with passwords

[christopher-dG]

Currently there's nothing to input a password to GPG, and this is blocking me from using my own GPG key. I've tried a few things but I need to do more digging.

[DilumAluthge]

For what it’s worth, I don’t think you should upload your own personal GPG key anywhere.

I think the best practice here will be:

1. Create a GitHub bot user MyBot
2. Create a new GPG key, and upload the public key to the GitHub profile of MyBot
3. Upload the private key to TagBot

So your tags will be signed by MyBot.

[christopher-dG]

If I used GPG for anything but Git, then I'd probably agree, but as it stands the consequence of losing my GPG key is basically the same as losing another one made for a bot

[christopher-dG]

Low priority, but this could be a thing again, SSH keys too.

Some ideas:

For SSH, we need to start ssh-agent and make sure to add the output variables into the environment. Then we can follow the instructions here to ssh-add the key and avoid any future password prompts. We need to use the expect method because there's no -p option in our version of ssh-add.

GPG:

There's a Python library that handles sending input to gpg, it just needed a small patch (here). With that package, we can enable gpg-agent and import the key with the password, which should remove the need for any other password prompt.