search

FiloSottile / age

A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.
https://age-encryption.org
BSD 3-Clause "New" or "Revised" License
15.75k stars 475 forks source link

Documentation bug in /README.md #encrypting-to-a-github-user #536

Closed ChristopherA closed 2 weeks ago

ChristopherA commented 5 months ago

Environment

What were you trying to do

Get SSH keys from GitHub to use with age.

What happened

Your home page at https://github.com/FiloSottile/age#encrypting-to-a-github-user suggests:

$ curl https://github.com/benjojo.keys | age -R - example.jpg > example.jpg.age

However, the key at GitHub.com/username.keys is a list auth keys (in my case, for instance, it is a different auth keys for each of my development computers). So this will not work properly if you have more than one.

Separately, SSH best practices is to keep auth keys separate from signing keys, so GitHub now supports the ability to keep those keys separate and makes them publicly available https://api.github.com/users/<username>/ssh_signing_keys, however, it is not well documented, and it is in a JSON array rather than a list. But it is useful.

% curl https://api.github.com/users/ChristopherA/ssh_signing_keys
[
  {
    "id": 184891,
    "key": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINTazxjqxsdh3Sv/7fxSTgr3qlCVByYoGDHHe428Fubp",
    "title": "eurynome.local/sign_id_25519_christophera@github.com",
    "created_at": "2023-10-26T06:28:34.882Z"
  },
  {
    "id": 219925,
    "key": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMU0/lvWurXvUcrvYNgfb02Ska0qpwC/yv22dvDIxxzh",
    "title": "kymindis.local/sign_id_ed25519_christophera@github 2024-01-04",
    "created_at": "2024-01-04T20:13:55.503Z"
  }
]
%

See also: https://github.com/github/docs/issues/28577#issuecomment-1876135675 & https://github.com/dolmen/github-keygen/issues/54#issuecomment-1875907350

p.s. One of my goals this year is to write up some improved best practices for creation and protection of SSH keys, and their use in GitHub and for file signing. I'll have a zsh script that should be easily adaptable for use with age.

Martin-Buchholz commented 2 months ago

So this will not work properly if you have more than one (ssh key).

Why do you say that? The -R flag accepts a list of recipients, and any of the corresponding private keys can be used to decrypt. Which seems like excellent default behavior.

FiloSottile commented 2 weeks ago

SSH key support is a convenience feature, not the "proper" way to use age. Most GitHub accounts have auth SSH keys but not signing SSH keys, so supporting the latter would make little sense. We know we are taking a license on the intended purpose of the keys.

From the README

As a convenience feature, age also supports encrypting to ssh-rsa and ssh-ed25519 SSH public keys [...]

Keep in mind that people might not protect SSH keys long-term, since they are revokable when used only for authentication [...]