[marcus_cemes]

I'm not an expert, but here's my take.

The public key is generally not considered a secret and is therefore "less guarded". Anybody with access to the public key is able to encrypt and create legitimate looking files that are indistinguishable from the original files. You can still only decrypt them using the private key, but you can no longer trust the contents of the file as your own.

A solution would be to encrypt with the public key, and then _also_ sign with the private key. When reading, you work in reverse order. You verify the signature using the public key, and then decrypt the file using the private key.

But then if you're just using both, why not use fast and robust symmetric encryption instead? Not only will decryption be garbage if the file has been tampered with, but you can also create a signature to detect it (HMAC).

[kardianos]

I think I understand what you are saying. For example, if you are using age to send an encrypted email, it is easy to encrypt the body/attachments to multiple recipients with their public keys (maybe published over DNS TXT records). But age doesn't give you a clear way for the recipients to read the message, fetch your private key, and authenticate the message was actually from you.