Thread #108045721 | Image & Video Expansion | Click to Play
File: 1000001976.png (4.3 KB)
4.3 KB PNG
One one hand GPG is standard for signing but on the other OpenSSH seems to have devs that are not faggots.
30 RepliesView Thread
Showing all 30 replies.>>
>>
>>
>>108045721
Neither. Signing commits is gay. Why would you want any form of non-repudiation of your repository? Also what value does this supposed non-repudiation buy you? Heh this commit was signed off by me that means it's .... Uh something!
>b-but muh remote can preimage attack muh sha-1 git hashes and rewrite history
Really nigger?
>>
>>
>>
>>108047076
Fucking lmao.
>>108046824
Especially if you encrypt with something that is NSA backdoor. Maybe it's time to adopt a new schizo theory that PGP was never actually meant to be gatekept in US and that whole story about book was just a way to advertise backdoor.
>>108046556
>signing commits is gay
So... applies to me? I'd rather die than fuck w*man.
>why would you need any form of non-repudiation
And why you need to breathe nigga? Just stop. This is not stackoverflow.
>>
>>
>>
>>108049048
you are holding it wrong
https://www.gnupg.org/blog/20251226-cleartext-signatures.html
basically, all of these "issues" are a complete non-issue—only a tranny would claim otherwise
>>
>>
>>
>>108050580
Because it's not openpgp anymore. Werner Koch decided to do his own thing: https://librepgp.org/
>>
>>
>>
>>
>>108050707
So we have retarded OpenPGP spec that's just legacy shit, which GPG follows by allowing clear text sign.
But when it came to AEAD support which is not part of the spec, those same niggers went "nah, fuck spec" and made their own standard which is so good only they follow it. And that's a lot, sure, given that the only widely used OpenPGP implementation was/is GPG.
But where's the fucking consistency behind their own logic?
>>108050580
This >>108050681 is currently discussed for Fedora too.
>>108050701
The more I learn the more I feel like from security standpoint you're right, GNU is more or less a disaster.
>>108051472
Oh, yeah, this too. Even if you don't care about keeping address to yourself, it's still 90s/00s design. For me my name is my main credential, not some emails. Address may change for whatever reason, I may lose an account or whatever.
>>
is there a GPG alternative that:
1. signs + encrypts files
2. has something like gpg-agent
minisign and age don't do either.
I don't care about the web of trust, key management bullshit features. looks like ssh-agent doesn't let you sign/encrypt with the key.
>>
>>108052136
It does let you sign. But to encrypt you'd need openssl and I'm pretty sure that making it work with ssh-agent is one hell of a task.
What I noticed is that adding a key to ssh-agent is pretty much necessary for it to work with stuff like JB IDEs. At least on Windows. When I git commit in console, it asks for a passphrase there. But when I do in say IDEA it just throws error. You need to add key to ssh-agent and that'll remove passphrase prompt which is far from ideal for my case.
GPG has no such problem, there's qt messagebox asking for passphrase that always works fine.
>>
>>
>>108052628
>But to encrypt you'd need openssl and I'm pretty sure that making it work with ssh-agent is one hell of a task.
oh yeah I did that once, it's very annoying
but at least I can encrypt my files with my SSH keys now
>>
>>108045721
Think about the people who will verify your signatures. Then think about the subset that you care about most. What kinds of signatures and certificates would be most convenient and trustworthy for those people?
In the end, that's what matters. You digitally sign things in order to help certain people accomplish things. So think about who they are and what would help them the most.
>>
>>
>>108053526
No, I mean regular SSH keys. Literally. You can sign with them.
Btw, signing with X.509 is probably the most useful one since you can have some internal CA at work that will issue you one.
>>108053582
Yeah, shame they added signing but not encryption/decryption. Also, CLI for doing so can use a little bit of improvement.
>>108053657
That's kind of a problem here, both are applicable. In the end, with SSH I'll just end up with a list of trusted signers. Rather easy to share with everyone involved with the project.
GPG would be more involved. I'd need some sort of storage for all public keys and to let everyone know how to import from there. But future management seems easier too with less manual labor.
Which is why I asked, maybe someone has experience or knows that something is just bad.
>>
>>
>>
>>
>>108055368
man ssh-keygen
>>108058504
What if trannies start saying 2+2=4? Will it be over?