| ▲ | Retr0id 4 days ago |
| I'm curious, what do you actually use it for? I'd have otherwise guessed that this tool mainly exists just to test lib25519. Personally I'd only ever want a library, or some higher-level tool. A CLI tool that just does raw signing feels like a weird (and footgun-shaped) middle ground. |
|
| ▲ | tptacek 4 days ago | parent | next [-] |
| This mostly exists to test lib25519 and ostensibly to build systems with shell scripts (though: few people would do that). It is a weird and footgun-shaped middle ground. |
|
| ▲ | XorNot 4 days ago | parent | prev | next [-] |
| It's why no one has succeeded in replacing GPG: you need a lot of systems to work in order to have an actual viable one, the ability to spit out signatures from keys is required but not sufficient. |
| |
| ▲ | adastra22 4 days ago | parent [-] | | GPG is pervasive for the same reason git is pervasive: network effects. There are plenty of better alternatives. | | |
| ▲ | XorNot 4 days ago | parent [-] | | Such as? I need an alternative which supports commutative trust relationships of some sort which are revocable. | | |
| ▲ | adastra22 3 days ago | parent | next [-] | | You (knowingly?) picked the one counter example, lol. Web of trust is the one application of PGP/GPG for which there isn’t a product ready replacement tool to point towards. GPG is built around web of trust, but this is generally believed to have been a very, very bad idea and the source of innumerable security problems for nearly every application that has tried to make use of it. The GPG replacements I would point to are purpose-built for specific domains and eschew web of trust: https://soatok.blog/2024/11/15/what-to-use-instead-of-pgp/ That said, you might find what you are looking for in the Rebooting Web of Trust project, and the various decentralized identity (DID) implementations that have come out of it: https://www.weboftrust.info/ | | |
| ▲ | XorNot 2 days ago | parent [-] | | No I picked the case I'm dealing with most commonly: which is establishing trust. X509 certs will also do this. I have numerous criticisms of the GPG system but it's not a solution to just not implement any solution at all: I.e. I need revocation lists, I need intermediate keys, I need the ability to establish alternate chains of trust or promote a chain to trusted. Some of this is very hard to do with x509 even or not will supported. | | |
| ▲ | adastra22 2 days ago | parent [-] | | Trust meaning who you should do business with? Whose advice you should take? Rather than “trust” you mean something very specific: whether a key was issued by an entity, or attested to from a set of authorities. The “web of trust” model that PGP/GPG supports is not the ideal means of implementing this. |
|
| |
| ▲ | C4K3 4 days ago | parent | prev [-] | | Keybase or any of the tools inspired by keybase (foks.pub etc) | | |
|
|
|
|
| ▲ | Fnoord 4 days ago | parent | prev [-] |
| > I'm curious, what do you actually use it for? FTA: > These tools allow lib25519 to be easily used from shell scripts. I've never used ed25519-cli, but not having to use a library is nice for someone who isn't a programmer. |
| |
| ▲ | tptacek 4 days ago | parent | next [-] | | The Venn diagram of "not a programmer" and "can safely use Ed25519" is two non-overlapping circles. | | |
| ▲ | PunchyHamster 4 days ago | parent | next [-] | | "this app needs me to generate a key and point to it in config" is plenty of overlap | | |
| ▲ | Retr0id 4 days ago | parent [-] | | If you just want a raw ed25519 private key then `head -c32 /dev/urandom` does the job. But usually you want a DER/PEM wrapper or similar, which the openssl cli tools handle nicely. |
| |
| ▲ | kfreds 4 days ago | parent | prev | next [-] | | I don't consider myself a programmer and I can use Ed25519 safely. I do however understand computing fairly well. | | |
| ▲ | Retr0id 4 days ago | parent [-] | | I consider myself a programmer and ed25519-understander, but the idea of using it directly within a shell script terrifies me. |
| |
| ▲ | alexjurkiewicz 4 days ago | parent | prev [-] | | Simply combine this tool with `openssl enc` and your shell script is as secure as any shell script could be |
| |
| ▲ | loeg 4 days ago | parent | prev [-] | | Someone writing shell scripts is a programmer, for better or worse. |
|
