Over the last year I've been trying to understand why GPG isn't popular. Based on the features I think it's a pretty valid thing. This article changed my mind.
Turns out GPG is too old ¯_(ツ)_/¯
I like signing my commits, it feels good to know that my identity is actually attached to my code. So I put in some work to reconfigure git to use a different signing tool, I didn't think it would be such a big deal, turns out git fully intergrates GPG. I'm confused. Why does git need to be hardcoded to use GPG specifically?
What rule says we can't have git configs like:
[sigining]
defaultMethod=minisign
[signing.minisign]
always=true
signCommand=minisign -S -s {secret-key-file} -x {sig-file-name} -m {target-file}
verifyCommand=minisign -V -P {public-key-file} -m {target-file}
Where the verifyCommand
exits 0 if the signature is good and 1 if not.
I'm open to hearing cons. These are some I can think of:
- User's have to configure git with each signing and verifying program
- Upstream security conserns from signing programs
- Signing programs changing their interfaces
The article that changed your mind really shouldn't have. It's mostly full of hyperbole. Like this:
"PGP does a mediocre job of signing things, a relatively poor job of encrypting them with passwords, and a pretty bad job of encrypting them with public keys. PGP is not an especially good way to securely transfer a file. It’s a clunky way to sign packages. It’s not great at protecting backups. It’s a downright dangerous way to converse in secure messages."
Literally none of this is true - the author is presenting their particular opinions as general fact. I use AES through PGP, knowing that even future quantum computers can't break it.
I wish they'd cut out all the 90's references and pointless exaggerations, and stuck to facts. Then again, the facts-only version of this article probably wouldn't make a strong case against PGP.
(Also, one of the links in the article, with the dodgy-and-harmful link text "Full disk encryption isn’t great", includes advice to use PGP in it. Maybe the author should have read the references they were citing.)