Signing back into the Community for the first time? You'll need to reset your password to access your account. Find out more.
Forum Discussion
XIII
3 years agoTrusted Contributor
GPG support? (like SSH)
Would it be possible to add similar support for GPG keys?
- dannysauerNew Contributor
I'm still super interested in this because I'd like to be able to more natively use 1password as the central hub to store keys used to sign published artifacts generated in CI. It'd be super-handy if I could easily generate a new signing subkey and revoke one which was compromised when a CI system's cloud provider gets hacked again, all without having to change a thing about the ci logic. Bonus points for also auto-publishing to one or more keyservers on-change. For one example.
Right now I have to locally export a key, import that into 1password as a text field, then have automation fetch the armored key before importing it into a local agent, etc. It's kind of a convoluted process compared to something like telling a package signing process to just use a local key agent which can just speak to 1password connect -- for another example. :)
Git commit signing is technically on the list, but more of a side effect to me personally.
- LucentOccasional Contributor
I think they're hoping everyone storing PGP keys is using them for signing commits and as people discover it can be done with SSH, they'll give up asking for the feature. There are indeed those of us from the '90s still using S/MIME and encrypting blocks to others who want 1Password to be the one stop secret shop.
- froazinNew Contributor
Big +1
SSH commit signing is fine until you need to rotate keys. Revoking a GPG key will continue to show commits in GitHub (unsure about GitLab) as "verified (expired)". The only way I've found to do the same with SSH keys is to remove the old key completely, but then commits show as "unverified" which defeats the point of supply chain integrity since it's not possible to distinguish a commit that was signed with an old key, or a commit that was not signed, or signed with another key that's not allowed.
The alternative is to not rotate signing keys, but then you compromise supply chain integrity further by not ensuring keys are rotated in a timely fashion.
- LucentOccasional Contributor
Very interested in this as well.
- Former Member
Hey folks! Love to see the enthusiasm here and we are definitely evaluating this to add going forward 😄 Stay tuned!
- Former Member
Would love to see this feature added. I can think of several use cases:
1. Restoring keys (ssh/gpg) for developers when transitioning new laptops/workstations, etc.
2. This gets around the issue that now GitLab is experiencing where they're getting a flood of requests for ssh signing support, specifically because 1Password added this feature. LINK to JIRA Open Ticket
3. It could provide some great synergy between apps like GPG Keychain (for macOS) and 1Password for better/smoother development workflows.Would love to see where this feature goes...I would be all over it day one, and would even beta test if you want (or if this is possible).
- LucentOccasional Contributor
Seems like interest is dwindling because many were using GPG for commit signing and SSH can do that as well now. Many of us still use GPG for encrypted communication and file storage.
- ionosOccasional Contributor
top of my head:
- key servers for verification, web of trust (an SSH commit signature by itself means nothing, if I don't know the key)
- existing workflows based on GPG
- subkeys
- khergeNew Contributor
After having the pleasure of using 1Password's SSH agent, I am also very excited about the possibility of using my GnuPG keys with 1Password and a GnuPG agent. SSH is nice, but I value GnuPG's sub keys support greatly.
- I generally manage my identity with GnuPG keys, not SSH keys.
- It's already been mentioned, but key servers for verification is great.
- The ability to publish and revoke these keys.
- Being able to create distinct sub keys allows me to avoid using a master key.
- I can sign for things using dedicated signing keys.
- I can encrypt things using dedicated encryption keys.
From what I understand, if you wanted any of this without GnuPG you would have to use certificates and certificate authorities.
- sannidhyzOccasional Contributor
GPG keys can not only be used for signing commits but also used to sign and encrypt files, emails and other data. We'd love to see GPG support in 1Password.