Not having gpg-agent is a huge deal breaker for me. I feel gpg-agent doesn't get enough love. Not only can it do all the ssh-agent operations, it can also be used with gpgme-json[1] to do web authentication with your [A] key. It's truly a shame that hardly any applications leverage the powerful cryptography afforded by GPG.
I knew about gpgme-json, but I didn't knew, you could do web auth with that. I though the usecase was mainly mailvelope. How does that work?
[deleted]
> Not only can it do all the ssh-agent operations
It can not. Doesn't work with PKCS#11 PIV. In general GPG's behavior with SmartCards is idiotic and interferes with many other applications.
It's good that people don't use GPG more often and I can just purge it from my systems.
What do you mean? I use GPG with SSH (or SSH with GPG) all the time, and I need gpg-agent for that. GPG's agent replaces ssh-agent and serves SSH keys derived from your GPG key.
Can you do this with Age? If not, then I am going to stick to GPG.
Age is super clean and very nice.
But I don’t think it will ever be a replacement for gpg (and might have already passed its window to replace it for file encryption). It just does file encryption. GPG does tons of other things that you will find are very useful (like around key management and signatures).
Literally the only thing I ever actually used gpg for was file encryption. I tried dong key management and signatures for a very brief period 20 years ago and gave up because no one else was doing it and it was annoying trying to do the right opsec things with no payoff.
Ever since then, as far as I can tell there has been a very small very niche group who use gpg for anything other than file encryption. So age is the obvious choice for the vast majority of us and it's adoption seems to be reflecting that.
[deleted]
age is so clean precisely because it does only one thing.
While GPG has other use cases; the intent is that those use cases are satisfied by different tools. Eg: signify for signing.
I’m also considering moving away from GPG, but the main limitation are signed git tags (for releases). For supports GPG or SSH keys. I’m not sure that I’m a fan of signing with SSH keys, I’d rather have first-class support for signify.
Is it post-quantum yet? I could not find indications of that.
Not having gpg-agent is a huge deal breaker for me. I feel gpg-agent doesn't get enough love. Not only can it do all the ssh-agent operations, it can also be used with gpgme-json[1] to do web authentication with your [A] key. It's truly a shame that hardly any applications leverage the powerful cryptography afforded by GPG.
[1]: https://manpages.debian.org/trixie/gpgme-json/gpgme-json.1.e...
I knew about gpgme-json, but I didn't knew, you could do web auth with that. I though the usecase was mainly mailvelope. How does that work?
> Not only can it do all the ssh-agent operations
It can not. Doesn't work with PKCS#11 PIV. In general GPG's behavior with SmartCards is idiotic and interferes with many other applications.
It's good that people don't use GPG more often and I can just purge it from my systems.
What do you mean? I use GPG with SSH (or SSH with GPG) all the time, and I need gpg-agent for that. GPG's agent replaces ssh-agent and serves SSH keys derived from your GPG key.
Can you do this with Age? If not, then I am going to stick to GPG.
Age is super clean and very nice.
But I don’t think it will ever be a replacement for gpg (and might have already passed its window to replace it for file encryption). It just does file encryption. GPG does tons of other things that you will find are very useful (like around key management and signatures).
Literally the only thing I ever actually used gpg for was file encryption. I tried dong key management and signatures for a very brief period 20 years ago and gave up because no one else was doing it and it was annoying trying to do the right opsec things with no payoff.
Ever since then, as far as I can tell there has been a very small very niche group who use gpg for anything other than file encryption. So age is the obvious choice for the vast majority of us and it's adoption seems to be reflecting that.
age is so clean precisely because it does only one thing.
While GPG has other use cases; the intent is that those use cases are satisfied by different tools. Eg: signify for signing.
I’m also considering moving away from GPG, but the main limitation are signed git tags (for releases). For supports GPG or SSH keys. I’m not sure that I’m a fan of signing with SSH keys, I’d rather have first-class support for signify.
Is it post-quantum yet? I could not find indications of that.
[dead]