would it be possible for you to add an option to mender install to accept the artifact on STDIN rather than some filesystem? This would enable users to stream it directly from gpg --decrypt rather than reserve space on the device to temporarily store the artifact.
That’s how gz does things.
It might be programmatically easy to do, as Linux provides both STDIN and regular files as file descriptors to the process. Perhaps all you’d have to do is for mender client to access the file descriptor at some hardcoded path if a certain CLI option is encountered, don’t know.
exactly, that’s what we do. Some of our customers want to refrain from useing networking, hence we want to provide them another way of updating their devices. We don’t want to give them insight into our rootfs, though.
We already have our solution in place. Unless we run out of disk space to intermediately store the decrypted artifact, we are unlikely to pick this issue up again.
Note that apart from encryption, there might be other use cases where streaming the artifact to mender install might be useful: