Would it be possible to add similar support for GPG keys?

I'm still super interested in this because I'd like to be able to more natively use 1password as the central hub to store keys used to sign published artifacts generated in CI. It'd be super-handy if I could easily generate a new signing subkey and revoke one which was compromised when a CI system's cloud provider gets hacked again, all without having to change a thing about the ci logic. Bonus points for also auto-publishing to one or more keyservers on-change. For one example. Right now I have to locally export a key, import that into 1password as a text field, then have automation fetch the armored key before importing it into a local agent, etc. It's kind of a convoluted process compared to something like telling a package signing process to just use a local key agent which can just speak to 1password connect -- for another example. :) Git commit signing is technically on the list, but more of a side effect to me personally.

I think they're hoping everyone storing PGP keys is using them for signing commits and as people discover it can be done with SSH, they'll give up asking for the feature. There are indeed those of us from the '90s still using S/MIME and encrypting blocks to others who want 1Password to be the one stop secret shop.

Big +1 SSH commit signing is fine until you need to rotate keys. Revoking a GPG key will continue to show commits in GitHub (unsure about GitLab) as "verified (expired)". The only way I've found to do the same with SSH keys is to remove the old key completely, but then commits show as "unverified" which defeats the point of supply chain integrity since it's not possible to distinguish a commit that was signed with an old key, or a commit that was not signed, or signed with another key that's not allowed. The alternative is to not rotate signing keys, but then you compromise supply chain integrity further by not ensuring keys are rotated in a timely fashion.

IMO, GPG is a fairly complex standard that sees use in many many ways. Adding support for all of these myriad ways into 1Password maybe reinventing the wheel because GPG already has a large number of tools available. And these tools are quite modern in their implementation (but often not in their UI/UX). At the same time, I do want to be able to store my GPG keys in 1Password. After all, what I am paying for is having to remember just "one password".

Very interested in this as well.

GPG support? (like SSH) | 1Password Community

79 Replies

svish
Occasional Contributor
27 days ago
Currently have my GPG key stored in 1Password as a simple file entry. Would be absolutely awesome if there instead was an actual item type for GPG keys, and there were tools that allowed me to use it in various ways directly via 1Password.
For example, if the Quick Access, when choosing a GPG item, allowed me to quickly sign or encrypt/decrypt selected text.
Would also be great if the GPG key could be used for signing git commits and such, like you can with SSH keys now.
- 1P_Tommy
  Moderator
  27 days ago
  Thanks for sharing your interest svish I appreciate it. I've let the team know this would be a valuable addition to your toolkit.
  
  PB-47362504
  - svish
    Occasional Contributor
    27 days ago
    Thanks, it really would be very helpful!
    As others say there are a lot of GPG tools around, but I'd say most of them are not necessarily very user friendly. It's also very true that there really is a lot to OpenPGP and GPG, but 1Password could start small by adding certain very helpful features (like signing, encrypt/decrypt, editing easy to change details in the key, etc.), and later add more involved stuff (like revoking of keys, integration with key servers, probably via the CLI, and so on)
jau
New Contributor
3 months ago
IMO, GPG is a fairly complex standard that sees use in many many ways. Adding support for all of these myriad ways into 1Password maybe reinventing the wheel because GPG already has a large number of tools available. And these tools are quite modern in their implementation (but often not in their UI/UX).
At the same time, I do want to be able to store my GPG keys in 1Password. After all, what I am paying for is having to remember just "one password".
lukasgabriel
New Contributor
5 months ago
Yes, PLEASE add this feature! +++++
Years ago, I set up PGP for mail, git signing, and SSH as well.
1Password SSH features are great but they don't work with this PGP "ecosystem".
I have had to convert my keys and change my workflow which was very complicated.
AnastasiyaSoyka
New Contributor
5 months ago
Just to throw my opinion into the mix: SSH keys cannot be substituted for PGP keys in all cases. A PGP key is closer to a digital certificate than it is to an SSH key; whereas an SSH key is really just a raw public key with a tiny amount of metadata attached, a PGP key can and generally does contain a wealth of additional metadata, and is also used for a much wider variety of purposes, like certifying other public keys or containing attached subkeys.

In concrete terms, an SSH key cannot be substituted for a PGP key for many use cases, like E2E encrypted email, YubiKey, cryptocurrency wallets etc. If 1Password were to support a GnuPG authentication agent, it would make storing private keys in a centralized location easier and more secure, and the process of performing common PGP-related tasks more transparent.

While GnuPG is pretty widely supported nowadays, and there is a wide variety of FOSS out there for managing keys, having my PGP keys stored in 1Password would make life a little easier. It's a small quality-of-life improvement, but not really a significant ask from me personally. I use 1Password because it has the best user experience and broadest compatibility of all of the password managers I've tried, and I intend to keep using it regardless of whether or not PGP keys are supported.
diegolinke
Occasional Contributor
6 months ago
+1
GnuPG, multiple use cases, sign/encrypt archive, sensitive information, emails, etc.
froazin
New Contributor
6 months ago
Big +1

SSH commit signing is fine until you need to rotate keys. Revoking a GPG key will continue to show commits in GitHub (unsure about GitLab) as "verified (expired)". The only way I've found to do the same with SSH keys is to remove the old key completely, but then commits show as "unverified" which defeats the point of supply chain integrity since it's not possible to distinguish a commit that was signed with an old key, or a commit that was not signed, or signed with another key that's not allowed.

The alternative is to not rotate signing keys, but then you compromise supply chain integrity further by not ensuring keys are rotated in a timely fashion.
xavp75
New Contributor
9 months ago
+1
FatalMerlin
New Contributor
9 months ago
Please add GPG support! It would be amazing.
rosstimson
New Contributor
9 months ago
+1. I'd like to be able to store GPG subkeys in 1Password and instead of entering a PIN like I currently do with subkeys stored on a Yubikey I'd just use fingerprint. Subkeys would sync with other machines in the same way SSH keys (and everything else) do. I've already switched to using SSH with 1Password for signing Git commits, mostly for the convenience. If there was GPG support though I'd probably use GPG for Git signing again. However, I also use GPG for encryption of files, it's especially useful for encrypting and authing to things like email services etc when using Emacs which is my editor of choice.
shishi1p
New Contributor
9 months ago
I can't wait to see this feature. GPG keys are not only for Git as you know and hard to store it securely. This will be very useful for business users also.