CLI revamp and v1 beta last call

124 views
Skip to first unread message

Filippo Valsorda

unread,
Nov 28, 2019, 6:57:38 PM11/28/19
to age...@googlegroups.com
I have reworked the CLI to be more explicit and intuitive. Recipient and
identities as arguments were clever, which is not a compliment.

Now encryption takes -r/--recipient flags, decryption is selected with
-d/--decrypt and takes -i/--identity flags, the output file is -o or
stdout, the input file is an optional argument or stdin. Key generation
moved to age-keygen, which can grow its own flags for stuff like YubiKey
PIV management.

With this, I'd like to issue a last call for the v1 beta, which would
trigger a backwards compatibility promise for the CLI and file formats.
Speak now, or hold your peace until v2, scheduled to come at the same
time as Go 2.


$ age-keygen > key.txt

$ cat key.txt
# created: 2019-10-06T22:44:14-04:00
# pubkey:9qK5CQd0aPFOMlBIpVPP8mOggiFxqkXKkcSJrqoxIyI
AGE_SECRET_KEY_l6sUOU2sZgLkyIkDHT_Q7wNqUjeeyUe4pJCsyt_-qII

$ echo "_o/" | age -r pubkey:9qK5CQd0aPFOMlBIpVPP8mOggiFxqkXKkcSJrqoxIyI -armor -o hello.age

$ cat hello.age
This is an armored file encrypted with age-tool.com, version 1
-> X25519 jxogGETLAZtc70T35gEa7-TyTsqRKjoh4w-URI2tHC4
FflFC6gUrydahfQj9KmVI8eznYR7XNm5Ra_19CvbvyY
--- i7xr4pMS8q4zCzK9-qO4vk6ENoCw-kwcSMYwnJCD6NY
DcZbEGeYV1TPxLANHVLLo53ep7JfMsYmDeX2aYiDUIUFzTHr
--- end of file ---

$ age -decrypt -i key.txt hello.age
_o/

$ tar cv ~/xxx | age -r github:Benjojo -r github:FiloSottile | nc 192.0.2.0 1234

brcrwi...@gmail.com

unread,
Nov 28, 2019, 8:34:38 PM11/28/19
to age-dev
Could you give a bit more detail on how the `github:` recipient works? I know a user’s pub keys can be found at https://github.com/{user}.keys. Many people have several keys here. Would the message be decrypt-able by any of that user’s keys?

Aaron Janse

unread,
Nov 28, 2019, 9:32:11 PM11/28/19
to age...@googlegroups.com
On Thu, Nov 28, 2019, at 11:57 PM, Filippo Valsorda wrote:
With this, I'd like to issue a last call for the v1 beta, which would
trigger a backwards compatibility promise for the CLI and file formats.
Speak now, or hold your peace until v2, scheduled to come at the same
time as Go 2.

For the sake of organization, I'd like to just call out my previous question about ASCII armor wrapping [1]:
Why wrap at 56 lines instead of doing something like salt pack?

As far as I know, the authors of `age` are fantastic cryptographers, so I assume there's a good reason, but in the small chance that maybe it would be better to do something more similar to salt pack wrapping, it would be nice to have that change made before v1 beta is finalized.

[1] my question in full is in the relevant mailing list thread

~ Aaron

Filippo Valsorda

unread,
Nov 28, 2019, 11:32:06 PM11/28/19
to age...@googlegroups.com
Replied in the other thread, thank you! We'll definitely settle that before cutting the beta.

Filippo Valsorda

unread,
Nov 28, 2019, 11:33:21 PM11/28/19
to age...@googlegroups.com
Yes, "github:{user}" expands to a "https://github.com/{user}.keys"
recipient list, where each line in the response is interpreted as
a recipient. Unsupported SSH key types (any other than ssh-rsa and
ssh-ed25519) are ignored. (Maybe with a warning?)
Reply all
Reply to author
Forward
0 new messages