[tptacek]

I'm not sure you understand what the previous commenter was suggesting. They're saying the receiver of an `age` message could, in theory, skip authenticating the ciphertext. They would have to do so deliberately (so deliberately that the code to do it doesn't exist), and the entire point of doing so would be to defeat message security in an attempt to do data recovery.

I think you should probably dig into the age code before writing posts about why PGP is better than age. The question of whether adversaries can modify age messages in transit is a pretty basic one.

[upofadown]

The actual damaged 64K age blocks would likely be unrecoverable after the start of the damage unless the chacha20-poly1305 ended being self synchronizing as it was used (as opposed to the CFB that OpenPGP specifies). The question I can't answer is if the undamaged 64K age blocks would then be recoverable. There might be just a counter, but you could instead (also) make a particular block dependent on the previous one(s).

[wolf550e]

Do you understand that chacha20 is CTR? A bit flip only affects that single bit, does not propagate to any other bits?

[upofadown]

From that can I get that an age recovery utility would need to detect missing data and would then need to insert dummy blocks (or the equivalent)? I guess there would have to be an minor element of brute force involved as there would be no easy way to distinguish bad blocks from the blocks after the missing chunk.