age keystore: support stream reading

[Dexmachi]

closes #2162
closes #1303

Why

Currently, sops fails to read multiple age keys passed via process substitution or named pipes (like /dev/fd/X) because these are read-once streams without "seek" support, throwing an EOF when it attempts to read it more than once during loadIdentities() (which happens when there are multiple recipients or during parsing retries).

Passing keys via file descriptors is a fairly common security pattern to prevent decrypted secrets from ever touching the disk or leaking into child processes via /prox/PPID/environ.

How

• Added a fileStreamCache (sync.Map) and a readStreamSafe(path string) ([]byte, error) helper function in age/keysource.go.

• When loading identities, readStreamSafe checks if the path points to a stream with a .HasPrefix, checking for /dev/fd/ or /proc/

• if it is a stream: It reads it into memory and caches the []byte for subsequent calls within the same process.

• if it is not a stream: It bypasses the cache and reads from the disk, as it was originally.

• a exportable ClearFileStreamCache() was created in order to zero out cached memory.

• All unit tests passing.

• Locally tested intended behavior, works as intended.

[felixfontein]

Thanks for your contribution! Can you please make sure to sign-off your commits (otherwise this cannot be merged), and to remove all unrelated code changes (reformatting) from the PR? Thanks.

[Dexmachi]

Thanks for your contribution! Can you please make sure to sign-off your commits (otherwise this cannot be merged), and to remove all unrelated code changes (reformatting) from the PR? Thanks.

oh, damn, ofc, I am sorry

[Dexmachi]

I'm kinda stupid, rolled back my changes only to forget to declare 1 variable and 1 dep lmao

(and the signoff)

[felixfontein]

Please note that your PR has a conflict.

[Dexmachi]

Please note that your PR has a conflict.

Trying to resolve it right now