[Retr0id]

I'm curious, what do you actually use it for?

I'd have otherwise guessed that this tool mainly exists just to test lib25519. Personally I'd only ever want a library, or some higher-level tool. A CLI tool that just does raw signing feels like a weird (and footgun-shaped) middle ground.

[tptacek]

This mostly exists to test lib25519 and ostensibly to build systems with shell scripts (though: few people would do that). It is a weird and footgun-shaped middle ground.

[XorNot]

It's why no one has succeeded in replacing GPG: you need a lot of systems to work in order to have an actual viable one, the ability to spit out signatures from keys is required but not sufficient.

[adastra22]

GPG is pervasive for the same reason git is pervasive: network effects. There are plenty of better alternatives.

[XorNot]

Such as? I need an alternative which supports commutative trust relationships of some sort which are revocable.

[adastra22]

You (knowingly?) picked the one counter example, lol. Web of trust is the one application of PGP/GPG for which there isn’t a product ready replacement tool to point towards. GPG is built around web of trust, but this is generally believed to have been a very, very bad idea and the source of innumerable security problems for nearly every application that has tried to make use of it. The GPG replacements I would point to are purpose-built for specific domains and eschew web of trust:

https://soatok.blog/2024/11/15/what-to-use-instead-of-pgp/

That said, you might find what you are looking for in the Rebooting Web of Trust project, and the various decentralized identity (DID) implementations that have come out of it:

https://www.weboftrust.info/

[XorNot]

No I picked the case I'm dealing with most commonly: which is establishing trust. X509 certs will also do this.

I have numerous criticisms of the GPG system but it's not a solution to just not implement any solution at all: I.e. I need revocation lists, I need intermediate keys, I need the ability to establish alternate chains of trust or promote a chain to trusted. Some of this is very hard to do with x509 even or not will supported.

[adastra22]

Trust meaning who you should do business with? Whose advice you should take?

Rather than “trust” you mean something very specific: whether a key was issued by an entity, or attested to from a set of authorities. The “web of trust” model that PGP/GPG supports is not the ideal means of implementing this.

[C4K3]

Keybase or any of the tools inspired by keybase (foks.pub etc)

[adastra22]

Isn’t keybase to GPG what github is to git?

[Fnoord]

> I'm curious, what do you actually use it for?

FTA:

> These tools allow lib25519 to be easily used from shell scripts.

I've never used ed25519-cli, but not having to use a library is nice for someone who isn't a programmer.

[tptacek]

The Venn diagram of "not a programmer" and "can safely use Ed25519" is two non-overlapping circles.

[PunchyHamster]

"this app needs me to generate a key and point to it in config" is plenty of overlap

[Retr0id]

If you just want a raw ed25519 private key then `head -c32 /dev/urandom` does the job. But usually you want a DER/PEM wrapper or similar, which the openssl cli tools handle nicely.

[kfreds]

I don't consider myself a programmer and I can use Ed25519 safely. I do however understand computing fairly well.

[Retr0id]

I consider myself a programmer and ed25519-understander, but the idea of using it directly within a shell script terrifies me.

[alexjurkiewicz]

Simply combine this tool with `openssl enc` and your shell script is as secure as any shell script could be

[loeg]

Someone writing shell scripts is a programmer, for better or worse.