Disable caching of GPG passphrases in the GPG agent (CryptoUtil 1/3)

[nabla-c0d3]

Status

Ready.

Description of Changes

This PR disables the caching of GPG passphrases by adding default-cache-ttl 0 to the GPG agent's config.

• This fixes a security issue where any GPG passphrase could be supplied to the GPG decryption code, as long as the corresponding decryption key's GPG passphrase was already in the GPG cache. The decryption code (more specifically the GPG binary) transparently retrieves from the cache the GPG passphrase for the right key, and then uses the key to decrypt the data. This happens regardless of what GPG passphrase was supplied by the caller.
• AFAIK this issue is currently unexploitable. Exploiting it would require another another bug in the securedrop server code that would allow a malicious source to "ask" the server to decrypt another source's files/replies. In this scenario, the malicious source would not need to provide/guess the other source's GPG passphrase: the server would transparently retrieve it from its cache and decrypt the content; what this PR fixes.
• This is part 1 of a set of 3 PRs to refactor the GPG code.
  • Part 2: Use the existing GPG fixture in the functional tests (CryptoUtil 2/3) #6184
  • Part 3: Refactor encryption logic to fix type-checking and improve tests (CryptoUtil 3/3) #6160 . That PR contains unit tests to ensure that the correct GPG passphrase must supplied to the decryption code.

[zenmonkeykstop]

• Looks good based on visual review
• confirmed that /var/lib/securedrop/keys/gpg-agent.conf includes the new default-cache-ttl 0 line on both fresh prod installs (using debs built from this branch) and in the upgrade scenario.
• Confirmed reply functionality is unaffected.