passage: add support for multiple identity files

[remko]

Resolves #51

• If identities is a directory, pass all files in that directory in alphabetical order as -i arguments to age
• Pass all -i arguments as AGE_IDENTITY_ARGS variable to extensions.
• Pass first identity as IDENTITIES_FILE to extensions for backwards compatibility.

[pnelson]

Thanks for your work. Actually the current documentation for usage with Yubikey is rather confusing without this as it seems to imply multiple identities work:

passage/README

Line 54 in 42cb195

age-plugin-yubikey --identity >> $HOME/.passage/identities

But in practice trying to show a password...

age: error: reading "~/.passage/identities": failed to read "~/.passage/identities": invalid armor: trailing data after armored file

[pnelson]

I see you've already identified this in your original issue #51:

Passage only looks in one identities file, and as far as I know, I cannot combine passphrase-protected age keys and non-password-protected keys (such as the secure enclave one) in one identities file, so I can't make passage behave this way. It does work with age directly when I pass both identities in the correct order.

I guess this documentation could be improved upon but now I'm realizing it is not necessarily as closely related to this PR as I had originally thought.

[jhvst]

I was able to replicate this feature here: jhvst/nix-config@f5592dc

I use a Yubikey HMAC and a Trezor. Would be nice to see this merged!

[remko]

@mntn-xyz Encrypting to multiple keys (e.g. for backup), and decrypting with the identity that is available is already supported by Passage. The same applies to your use case for a shared repository of secrets. Encryption can use recipients files (which can have multiple recipients).

What this PR is about is when a single user needs to use multiple private keys for decryption 'simultaneously' (i.e. some secrets are encrypted using one secret of this user, other secrets using another of this user).

This PR has no impact on age plugins, only on Passage plugins. Age plugins are handed all identities in order, something that has always been supported. I'm not sure why age-plugin-fido2-hmac would only try the first identity.

[mntn-xyz]

@remko Thanks for the clarification. I think I just misunderstood the purpose of this due to the discussion of Yubikeys. I was working late on this and it sounded like this was about passing additional identities to age and then to age plugins. I see now you mentioned "extensions" here, not plugins, and honestly I wasn't even aware that passage had extensions! TIL.