Over the last year I’ve been trying to understand why GPG isn’t popular. Based on the features I think it’s a pretty valid thing. This article changed my mind.

Turns out GPG is too old ¯_(ツ)_/¯

I like signing my commits, it feels good to know that my identity is actually attached to my code. So I put in some work to reconfigure git to use a different signing tool, I didn’t think it would be such a big deal, turns out git fully intergrates GPG. I’m confused. Why does git need to be hardcoded to use GPG specifically?

What rule says we can’t have git configs like:

[sigining]
  defaultMethod=minisign

[signing.minisign]
  always=true
  signCommand=minisign -S -s {secret-key-file} -x {sig-file-name} -m {target-file}
  verifyCommand=minisign -V -P {public-key-file} -m {target-file}

Where the verifyCommand exits 0 if the signature is good and 1 if not.

I’m open to hearing cons. These are some I can think of:

  • User’s have to configure git with each signing and verifying program
  • Upstream security conserns from signing programs
  • Signing programs changing their interfaces
  • The article that changed your mind really shouldn’t have. It’s mostly full of hyperbole. Like this:

    “PGP does a mediocre job of signing things, a relatively poor job of encrypting them with passwords, and a pretty bad job of encrypting them with public keys. PGP is not an especially good way to securely transfer a file. It’s a clunky way to sign packages. It’s not great at protecting backups. It’s a downright dangerous way to converse in secure messages.”

    Literally none of this is true - the author is presenting their particular opinions as general fact. I use AES through PGP, knowing that even future quantum computers can’t break it.

    I wish they’d cut out all the 90’s references and pointless exaggerations, and stuck to facts. Then again, the facts-only version of this article probably wouldn’t make a strong case against PGP.

    (Also, one of the links in the article, with the dodgy-and-harmful link text “Full disk encryption isn’t great”, includes advice to use PGP in it. Maybe the author should have read the references they were citing.)