I have seen a couple of feature requests (namely #355 and #358) that suggest implementing PGP for account authentication. I think this is a good idea, mainly because OpenPGP is an open standard. However, I am sure some users would like to authenticate securely without PGP, but using something else instead. For example, I'd rather use GNOME Keyring.
I think that before hard-coding PGP support into aerc, it would be worthwhile being able to retrieve account credentials through an arbitrary external command. In some cases, this will require aerc brokering between the user and the external command (i.e. forwarding standard input to the external command when needed). (I think this is what Neomutt does).
A way this could be implemented in the accounts.conf file is shown below:
[domain.eml-account] source = $(urlencode "imaps://firstname.lastname@example.org:$(pass email/mail-account)@imap.domain.eml:993") outgoing = $(urlencode "smtps+plain://email@example.com:$(pass email/mail-account)@smtp.domain.eml:587") default = INBOX from = FirstName LastName firstname.lastname@example.org copy-to = Sent
In this example, the code within $() is passed to the shell (according to the SHELL environment variable, or maybe a configuration key-value pair to override it). The shell, in this case, will execute the command urlencode, and one level deeper, the pass command. In this case, the pass command will retrieve the user's password, and it will ask for input! (urlencode's function is self-explanatory.) Instead of pass, however, you may use gpg, secret-tool (for GNOME Keyring), or anything else you'd like.