Over the last year I’ve been trying to understand why GPG isn’t popular. Based on the features I think it’s a pretty valid thing. This article changed my mind.

Turns out GPG is too old ¯_(ツ)_/¯

I like signing my commits, it feels good to know that my identity is actually attached to my code. So I put in some work to reconfigure git to use a different signing tool, I didn’t think it would be such a big deal, turns out git fully intergrates GPG. I’m confused. Why does git need to be hardcoded to use GPG specifically?

What rule says we can’t have git configs like:

[sigining]
  defaultMethod=minisign

[signing.minisign]
  always=true
  signCommand=minisign -S -s {secret-key-file} -x {sig-file-name} -m {target-file}
  verifyCommand=minisign -V -P {public-key-file} -m {target-file}

Where the verifyCommand exits 0 if the signature is good and 1 if not.

I’m open to hearing cons. These are some I can think of:

  • User’s have to configure git with each signing and verifying program
  • Upstream security conserns from signing programs
  • Signing programs changing their interfaces
  • mo_ztt ✅
    link
    English
    11 year ago

    It’s “bias” in favor of the truth, though. I don’t think he’s saying anything against email as a technology or against PGP-signing your emails as a habit – just saying that encrypting an email with a PGP key and thinking that’ll make it un-eavesdroppable is just 100% wrong backwards and forwards. That’s accurate, and I think it’s worth saying (I mean, I wasn’t fully aware that e.g. the subject line of a PGP-encrypted email is still plaintext).