stop passing passphrases via args, instead use prepared files

Any process can read the process table, and can therefore see the entire
command line of any other process.  That means its a bad idea to ever put
passwords as part of a command line.  Python is executing keytool and
jarsigner command lines here, so now instead of putting the password on the
command line, a file is passed instead with suitable file permissions.
This should reduce the exposure a lot.  But still, sensitive passwords
should not be written to any text file.

This change requires OpenJDK-7 since the :file option to -storepass and
-keypass was only added in Java 7's keytool and jarsigner.

fdroidserver/common.py

@@ -94,8 +94,26 @@ def read_config(opts, config_file='config.py'):
         if st.st_mode & stat.S_IRWXG or st.st_mode & stat.S_IRWXO:
             logging.warn("unsafe permissions on {0} (should be 0600)!".format(config_file))
 
+    for k in ["keystorepass", "keypass"]:
+        if k in config:
+            write_password_file(k)
+
     return config
 
+def write_password_file(pwtype, password=None):
+    '''
+    writes out passwords to a protected file instead of passing passwords as
+    command line argments
+    '''
+    filename = '.fdroid.' + pwtype + '.txt'
+    fd = os.open(filename, os.O_CREAT | os.O_WRONLY, 0600)
+    if password == None:
+        os.write(fd, config[pwtype])
+    else:
+        os.write(fd, password)
+    os.close(fd)
+    config[pwtype + 'file'] = filename
+
 # Given the arguments in the form of multiple appid:[vc] strings, this returns
 # a dictionary with the set of vercodes specified for each package.
 def read_pkg_args(args, allow_vercodes=False):