Support signing without passphrase

[weavejester]

I've noticed that deps-deploy uses read-passphrase when signing, but I think this should be optional (and perhaps not even the default), as GPG often has its own mechanisms for managing authentication that this overrides.

On the MacOS GPG suite, for example, when a passphrase is required it will pop up a dialog asking for it, and it has the option to save the passphrase to the MacOS keychain, or remember it for a set period of time. Because deps-deploy asks for the passphrase itself, it bypasses all of this.

Leiningen also has support for signing releases, but by default it leaves getting the password up to GPG.

[slipset]

I would be very happy to receive a PR on this :) Messing around with GPG is, well, interesting, if one were to be very positive.

[weavejester]

I've found myself with some time to mess about with this, and I was wondering what your preference would be in terms of how to handle this.

We could handle it like Leiningen, and allow GPG to handle getting the passphrase. This would be the most correct behaviour (and the simplest to implement) but may not be backward compatible.

Alternatively, we add in some option to choose between getting the passphrase ourselves, or leaving it up to GPG. The question then is: what should be the default?

I'd lean toward the first solution, but it's up to you.

[slipset]

While I like the first solution, I've spent quite some time making CircleCI and gpg play together when it comes to pass-phrases when deploying directly form Circle as I tend to do.

So I probs like option two best, with todays behavior as the default?

[weavejester]

Sounds good. What about an option :read-passphrase that defaults to deps-deploy.gpg/read-passphrase and expects a zero-argument function that returns a string. If nil, it will default to letting GPG handle it.