Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Documentation bug in /README.md #encrypting-to-a-github-user #536

Closed
ChristopherA opened this issue Jan 18, 2024 · 2 comments
Closed

Documentation bug in /README.md #encrypting-to-a-github-user #536

ChristopherA opened this issue Jan 18, 2024 · 2 comments

Comments

@ChristopherA
Copy link

Environment

  • OS: n/a
  • age version: n/a

What were you trying to do

Get SSH keys from GitHub to use with age.

What happened

Your home page at https://github.com/FiloSottile/age#encrypting-to-a-github-user suggests:

$ curl https://github.com/benjojo.keys | age -R - example.jpg > example.jpg.age

However, the key at GitHub.com/username.keys is a list auth keys (in my case, for instance, it is a different auth keys for each of my development computers). So this will not work properly if you have more than one.

Separately, SSH best practices is to keep auth keys separate from signing keys, so GitHub now supports the ability to keep those keys separate and makes them publicly available https://api.github.com/users/<username>/ssh_signing_keys, however, it is not well documented, and it is in a JSON array rather than a list. But it is useful.

% curl https://api.github.com/users/ChristopherA/ssh_signing_keys
[
  {
    "id": 184891,
    "key": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINTazxjqxsdh3Sv/7fxSTgr3qlCVByYoGDHHe428Fubp",
    "title": "eurynome.local/[email protected]",
    "created_at": "2023-10-26T06:28:34.882Z"
  },
  {
    "id": 219925,
    "key": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMU0/lvWurXvUcrvYNgfb02Ska0qpwC/yv22dvDIxxzh",
    "title": "kymindis.local/sign_id_ed25519_christophera@github 2024-01-04",
    "created_at": "2024-01-04T20:13:55.503Z"
  }
]
%

See also: github/docs#28577 (comment) & dolmen/github-keygen#54 (comment)

p.s. One of my goals this year is to write up some improved best practices for creation and protection of SSH keys, and their use in GitHub and for file signing. I'll have a zsh script that should be easily adaptable for use with age.
@Martin-Buchholz
Copy link

So this will not work properly if you have more than one (ssh key).

Why do you say that? The -R flag accepts a list of recipients, and any of the corresponding private keys can be used to decrypt. Which seems like excellent default behavior.

@FiloSottile
Copy link
Owner

SSH key support is a convenience feature, not the "proper" way to use age. Most GitHub accounts have auth SSH keys but not signing SSH keys, so supporting the latter would make little sense. We know we are taking a license on the intended purpose of the keys.

From the README

As a convenience feature, age also supports encrypting to ssh-rsa and ssh-ed25519 SSH public keys [...]

Keep in mind that people might not protect SSH keys long-term, since they are revokable when used only for authentication [...]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ChristopherA @FiloSottile @Martin-Buchholz