In general, I’m happy to concede that there’s not a great one-size-fits-all solution for what PGP tries to tackle, namely encryption/signing of files at rest (for multiple recipients) and encryption/signing of ephemeral/ish messages in transit, which is more session-oriented.
Conversation
You can consider signify+age as a replacement for GPG. It's just not a good approach to secure messaging outside of niche use cases. For example, the best approach for accepting anonymous submissions of encrypted files would be age. It's anonymous authenticated file encryption.
1
2
If you want to prove authenticity too, you need to sign it with signify. However, you still have authenticated encryption with age alone without signify. It just doesn't assert an origin so while someone can't tamper with the message, they could outright replace it with another.
1
1
I’ll need to dig into that more, then, sounds like that pairing covers about 90% of what I’m interested in.
1
1
Signify signatures are a line with "untrusted comment: ..." followed by a line with base64 encoded signature.
Encoded data is "Ed" (in case it ever needs a new algorithm), 64-bit key id (no security relevant beyond helping with rotation) and raw ed25519 signature (~20 bytes).
1
1
Minisign extends with with trusted (verified) comments and optional built-in pre-hashing support. If you don't use those extensions, minisign signatures are compatible with signify.
Signify also knows how to verify files via a signed BSD-style hash file (minisign doesn't).
2
1
Age gives you authenticated encryption for files with either public/private keys or passphrases. Creator of the file is anonymous when using either native age keys or passphrases. I think it would be nice if it provided signing but leaving it up to signify/minisign is fine too.
2
1
Since it has authenticated encryption, age does essentially have signing when using passphrases.
It's a design choice to omit having a way to declare who is creating an encrypted file when encrypting to someone's public key. They'd rather leave it up to signify/minisign for now.
1
1
Right. Authenticated MACs are handy, but delegating deep signature validation to something else avoids second system syndrome to some extent.
1
The main annoyance from it is having 2 separate pairs of keys in different formats when a single pair would suffice. A perfectly good solution would be making a 2nd tool able to use age keys for signing / verification.
I wouldn't mind simply having 2 separate CLI tools for it.
1
1
GPG manages to screw this up as a single tool though based on legacy / cargo cult ideas about encryption. I don't understand how they manage to have so much complexity and yet the basic ability to transparently rotate keys is missing like source.android.com/security/apksi provides.
ed25519 keys/signatures are tiny so it's very low overhead to provide proof of authorized rotations from previous keys with a public key.
For signify, you can just use a static web server to host public keys + proof of rotation and name them after key id to grab what's needed.
1