Did you know SSH can sign files?
And you can look up public keys on GitHub?
This post explains a simple PKI already on most computers, that already has public keys for most people on GitHub:
dlorenc.medium.com/ssh-is-the-new
Thanks to for implementing this!
Conversation
This Tweet was deleted by the Tweet author. Learn more
I'd guess that at least one order of magnitude more people have SSH keys configured and stored on GitHub than have gpg keys published in a key server. Maybe two orders of magnitude.
7
This Tweet was deleted by the Tweet author. Learn more
Right, and the latter are what GPG gets horribly wrong (in the ux department at least).
1
PGP has serious flaws such as inherently depending on SHA-1 and having a ridiculous amount of legacy cruft and bloat. The whole web of trust thing is pretty much harmful nonsense, at least as designed. GPG has serious implementation issues beyond all that. I've migrated away.
2
1
10
If the tool is going to automate one thing, it should be key rotation, and yet it doesn't even have that. I'm eventually going to retire my GPG key and I won't be moving to a new one due to lack of support for automated rotation. I simply won't be using it anymore. It's awful.
1
1
6
Just going to set up my email server to automatically reject PGP encrypted emails and send a response telling people to contact me on Matrix. Matrix and signify cover nearly all my use cases for it. If I ever actually want to encrypt a file anonymously, I'll use age for that.
1
2
6
The one thing I still do with GPG is signing Git tags. The Git wrapper simply signs the object's hash and makes it more difficult to properly verify the object with a specific key. I can't actually justify why I'm still doing that instead of using signify. Maybe I'll start now.
Or are you saying you would sign the commit hash on your own and store it separately?
1
I could sign the commit on my own and store it in a Git note. I would rather have detached signatures than having it as part of the object anyway. That doesn't make sense to me. What happens if I rotate the key and want to sign the previously signed tags with the new key too?
3
2
5
Show replies