Hi,
I also think writing passphrase to temporary files is really not secure.
Ipc could be a solution, but it is quite complicated (they are binary components, and you have to provide one different for each platform).
In my opinion, a temporary fix would be to call gpg with arguments --passphrase mypassphrase (instead of writting passphrase to a file and calling --passphrase-file).
I sent a patch to firegpg a few weeks ago but I had no feedbacks. (ok, I also made a few others proposals, and my patch was quite messy, may be that's the reason why it was not included).
main part of it was :
function runChromeCommand(chromePath, args) {
var ioService = Components.classes[NS_IOSERVICE_CONTRACTID].getService(Components.interfaces.nsIIOService);
var uri = ioService.newURI(chromePath, null, null);
var realPath = Cc["@mozilla.org/chrome/chrome-registry;1"].
getService(Ci.nsIChromeRegistry).
convertChromeURL(uri);
var file=Cc["@mozilla.org/file/local;1"].createInstance(Ci.nsILocalFile);
file.initWithPath(realPath.path);
var process = Cc["@mozilla.org/process/util;1"].
createInstance(Ci.nsIProcess);
process.init(file);
process.run(true, args, args.length);
}
const FIREGPG_UNIX_SCRIPT = "chrome://firegpg/content/run.sh
var args = [].concat(this.getGPGCommand(), tmpStdOut,
"--quiet", "--no-use-agent", "--no-tty", "--no-verbose", "--status-fd", "1", "--armor", "--batch",
"--default-key", keyID,
"--output", tmpOutput,
"--passphrase", password,
getGPGCommentArgument(),
"--clearsign", tmpInput);
try { runChromeCommand(FIREGPG_UNIX_SCRIPT, args); } catch (e) { }It works fine, at least on my linux laptop.