Would it be possible to add similar support for GPG keys?

I'm still super interested in this because I'd like to be able to more natively use 1password as the central hub to store keys used to sign published artifacts generated in CI. It'd be super-handy if I could easily generate a new signing subkey and revoke one which was compromised when a CI system's cloud provider gets hacked again, all without having to change a thing about the ci logic. Bonus points for also auto-publishing to one or more keyservers on-change. For one example. Right now I have to locally export a key, import that into 1password as a text field, then have automation fetch the armored key before importing it into a local agent, etc. It's kind of a convoluted process compared to something like telling a package signing process to just use a local key agent which can just speak to 1password connect -- for another example. :) Git commit signing is technically on the list, but more of a side effect to me personally.

IMO, GPG is a fairly complex standard that sees use in many many ways. Adding support for all of these myriad ways into 1Password maybe reinventing the wheel because GPG already has a large number of tools available. And these tools are quite modern in their implementation (but often not in their UI/UX). At the same time, I do want to be able to store my GPG keys in 1Password. After all, what I am paying for is having to remember just "one password".

I think they're hoping everyone storing PGP keys is using them for signing commits and as people discover it can be done with SSH, they'll give up asking for the feature. There are indeed those of us from the '90s still using S/MIME and encrypting blocks to others who want 1Password to be the one stop secret shop.

Big +1 SSH commit signing is fine until you need to rotate keys. Revoking a GPG key will continue to show commits in GitHub (unsure about GitLab) as "verified (expired)". The only way I've found to do the same with SSH keys is to remove the old key completely, but then commits show as "unverified" which defeats the point of supply chain integrity since it's not possible to distinguish a commit that was signed with an old key, or a commit that was not signed, or signed with another key that's not allowed. The alternative is to not rotate signing keys, but then you compromise supply chain integrity further by not ensuring keys are rotated in a timely fashion.

Just to throw my opinion into the mix: SSH keys cannot be substituted for PGP keys in all cases. A PGP key is closer to a digital certificate than it is to an SSH key; whereas an SSH key is really just a raw public key with a tiny amount of metadata attached, a PGP key can and generally does contain a wealth of additional metadata, and is also used for a much wider variety of purposes, like certifying other public keys or containing attached subkeys. In concrete terms, an SSH key cannot be substituted for a PGP key for many use cases, like E2E encrypted email, YubiKey, cryptocurrency wallets etc. If 1Password were to support a GnuPG authentication agent, it would make storing private keys in a centralized location easier and more secure, and the process of performing common PGP-related tasks more transparent. While GnuPG is pretty widely supported nowadays, and there is a wide variety of FOSS out there for managing keys, having my PGP keys stored in 1Password would make life a little easier. It's a small quality-of-life improvement, but not really a significant ask from me personally. I use 1Password because it has the best user experience and broadest compatibility of all of the password managers I've tried, and I intend to keep using it regardless of whether or not PGP keys are supported.

GPG support? (like SSH) | 1Password Community

81 Replies

sannidhyz
New Contributor
3 years ago
GPG keys can not only be used for signing commits but also used to sign and encrypt files, emails and other data. We'd love to see GPG support in 1Password.
XIII
Super Contributor
3 years ago

Finally, it's worth noting that while SSH keys can be used to sign git commits, the level of trust is not as meaningful as a GPG one, due to the absence of infrastructure like keybase, which verifies the authenticity of the signer.

Apparently that’s even an (user…) issue with GPG:

https://blog.pypi.org/posts/2023-05-23-removing-pgp/
itsTyrion
New Contributor
3 years ago
GPG/PGP offers various features for security & privacy. It supports keyservers (are there good methods/servers for doing that with SSH keys?), making it convenient to publish your key.
Additionally, it allows the use of revocation certificates and the creation of master and sub keys, which can be particularly beneficial for organizations. With GPG/PGP, you have the ability to sign commits, as well as sign and encrypt emails, text, individual files, and git commits.

Furthermore, GPG/PGP can be used to securely share credentials with others, even when using platforms or channels that may not prioritize privacy, using their pub key, obtained from e.g. keybase.

Finally, it's worth noting that while SSH keys can be used to sign git commits, the level of trust is not as meaningful as a GPG one, due to the absence of infrastructure like keybase, which verifies the authenticity of the signer.
Ryan_Parman
Dedicated Contributor
3 years ago
I started watching this issue 15 months ago, shortly after it was opened.

I use GPG for signing my Git commits

I use it for signing/encrypting emails

I use it with GoReleaser to generate GPG signatures for software packages I release

I use it with Keybase.io

I use it to encrypt new credentials for people who do not yet have a password manager, so that I can send them over Slack and email.

In the interim, I've been using https://gpgtools.org (macOS) with https://github.com/jorgelbg/pinentry-touchid for a reasonably modern GPG experience.
owenvoke
New Contributor
3 years ago
Would love to have support for GnuPG / PGP as well. Been using it for years for commit signing, file encryption / signatures, and for communication.
Former Member
3 years ago
GnuPG/PGP is almost entirely different from SSH. Having one does not make up for not having the other. The whole point of 1password is to support all of these different tools in one system. Please stop distracting with SSH and just implement similar GnuPG support.
kherge
New Contributor
3 years ago
After having the pleasure of using 1Password's SSH agent, I am also very excited about the possibility of using my GnuPG keys with 1Password and a https://www.gnupg.org/documentation/manuals/gnupg/Agent-Protocol.html#Agent-Protocol. SSH is nice, but I value GnuPG's sub keys support greatly.

I generally manage my identity with GnuPG keys, not SSH keys.

It's already been mentioned, but key servers for verification is great.

The ability to publish and revoke these keys.

Being able to create distinct sub keys allows me to avoid using a master key.

I can sign for things using dedicated signing keys.

I can encrypt things using dedicated encryption keys.

From what I understand, if you wanted any of this without GnuPG you would have to use certificates and certificate authorities.
Nezteb
New Contributor
3 years ago
Chiming in to echo that I'd love GPG support!
Former Member
3 years ago
+1 for this. Even with SSH signing I'd love GPG support for email among other things. It would beat adding my key as a file.
Jack_P_1P
1Password Team
3 years ago
Thanks for your feedback ionos!

Jack

Forum Discussion

GPG support? (like SSH)

81 Replies

Recent discussions

Apple Watch CLI Authentication

macOS 26 beta browser extension very slow to open

Use op on headless system with glab?

Console flooded with errors when clicking links during 1Password passkey selection dialog

How to create an Address field type using the CLI?