Expand description
gpg whole-file preprocessor — decrypts *.gpg (and optionally
*.asc) files at deploy time.
Same shape as the age preprocessor: matches the configured
extensions, runs gpg --decrypt --quiet --batch <source>,
captures plaintext on stdout, and emits an ExpandedFile
with deploy_mode = Some(0o600) per secrets.lex §4.3.
TransformType::Opaque — no reverse path.
Auth model differs from age: gpg picks up its identity from
gpg-agent rather than an explicit identity-file argument. For
a passphrase-protected key, the agent prompts (or pulls cached
credentials); for a YubiKey-backed key, the smartcard daemon
handles it. dodot doesn’t introspect any of that — --batch
makes the call non-interactive at dodot’s end so we don’t block
a dodot up on a TTY-only prompt; if the agent isn’t ready,
gpg exits with a clear “gpg-agent” diagnostic which we
surface.
See secrets.lex §4.1–§4.3 and preprocessing-pipeline.lex
§2.3 (Opaque transform semantics).
Structs§
- GpgPreprocessor
gpgdecryption preprocessor. Constructed from[preprocessor.gpg]config + the sharedCommandRunner.