Support "Stateless OpenPGP Command Line Interface" for encryption/decryption. #1982
Description
There is a (draft) standard for a CLI interface for OpenPGP, call "Stateless OpenPGP", or "SOP" for short. The spec is available under https://datatracker.ietf.org/doc/draft-dkg-openpgp-stateless-cli/. It can be used as a standardized interface for different OpenPGP implementations, which is useful if people want to switch to a different backend for some reason.
GnuPG is the most widespread PGP implementation, but it's not OpenPGP as specified by the IETF, it's LibrePGP as specified by Werner Koch, the lead developer of GnuPG. Most other PGP implementations out there follow the OpenPGP spec. Both OpenPGP and LibrePGP have a common ancestor, RFC 4880, but evolved differently from there. Most of the ecosystem implements RFC 9580, but GnuPG forked off before that RFC was published and wrote their own follow-up to RFC 4880. This is causing compatibility issues, as seen by #896.
To enable people to choose their own PGP implementation, it'd be nice if sops allowed usage of "SOP" implementations for encryption/decryption as an alternative to GnuPG. The stateless nature of SOP and the sops config only listing a fingerprint makes this a bit more difficult, because SOP implementations require keys passed as files for encryption. Key files could be fetched from the local pgp.cert.d if available, from the GnuPG keyring or fetched from keyservers. Additional required parameters could be passed via env vars, such as SOPS_PGP_SOP_KEY for the key path for decryption, SOPS_PGP_SOP_PASSWORD for the password for decryption if the key is encrypted, SOPS_PGP_SOP_EXEC, SOPS_PGP_SOP_ENCRYPTION_EXEC and SOPS_PGP_SOP_DECRYPTION_EXEC for binaries used for SOP, with overrides per action if people want different binaries for encryption/decryption.
Is this something that is of interest for sops?