Would it be possible to add similar support for GPG keys?

I'm still super interested in this because I'd like to be able to more natively use 1password as the central hub to store keys used to sign published artifacts generated in CI. It'd be super-handy if I could easily generate a new signing subkey and revoke one which was compromised when a CI system's cloud provider gets hacked again, all without having to change a thing about the ci logic. Bonus points for also auto-publishing to one or more keyservers on-change. For one example. Right now I have to locally export a key, import that into 1password as a text field, then have automation fetch the armored key before importing it into a local agent, etc. It's kind of a convoluted process compared to something like telling a package signing process to just use a local key agent which can just speak to 1password connect -- for another example. :) Git commit signing is technically on the list, but more of a side effect to me personally.

I think they're hoping everyone storing PGP keys is using them for signing commits and as people discover it can be done with SSH, they'll give up asking for the feature. There are indeed those of us from the '90s still using S/MIME and encrypting blocks to others who want 1Password to be the one stop secret shop.

Big +1 SSH commit signing is fine until you need to rotate keys. Revoking a GPG key will continue to show commits in GitHub (unsure about GitLab) as "verified (expired)". The only way I've found to do the same with SSH keys is to remove the old key completely, but then commits show as "unverified" which defeats the point of supply chain integrity since it's not possible to distinguish a commit that was signed with an old key, or a commit that was not signed, or signed with another key that's not allowed. The alternative is to not rotate signing keys, but then you compromise supply chain integrity further by not ensuring keys are rotated in a timely fashion.

Very interested in this as well.

Hey folks! Love to see the enthusiasm here and we are definitely evaluating this to add going forward 😄 Stay tuned!

GPG support? (like SSH) | 1Password Community

Former Member
3 years ago
+1 for GPG. As verified commit in Github requires I am using this several times daily.
Former Member
3 years ago
+1
Former Member
4 years ago
I would love to see this as well!
sullimander
New Contributor
4 years ago
I would love to see this as a feature. Right now I primarily use GPG for git commit signing, and my key lives on an Yubikey, but I would love to have it live in 1Password, and not have to have GPG Suite installed on my Mac.
Former Member
4 years ago
Targeting at commit signing with git:
Since git v2.34 it is possible to sign commits with ssh keys. Currently there is no verified badge on platforms like GitHub, but since git v2.34 was only released at the end of 2021, I think it should be supported on these platforms in the near future.
Former Member
4 years ago
I would like to see this support as well. Not just for secret GPG keys, but actually it would be somewhat awesome if 1Password could completely replace the need for GPG Suite on my Mac (I mostly use GPG for Git commit signing, so don't have GPGMail installed) by supporting the storage of public keys as well.
XIII
Super Contributor
4 years ago
Yes, just storing (and optionally showing some additional relevant fields within the 1Password GUI) would already be nice.
Lucent
New Contributor
4 years ago
My use case isn't so much interacting with other certificates the way I do with SSH but storing them in a robust way, so even accepting other types that did nothing other than storage would be great. For example, ProtonMail and other certificates corresponding to email addresses. Currently, they're all lumped into one .asc as a document in 1Password along with a note of how the backup was created: gpg --output pgp_keys.asc --armor --export-secret-keys --export-options export-backup so anything would be an improvement over that.
XIII
Super Contributor
4 years ago
Excellent!

(Like @smanojkarthick my main use case is signing commits on GitHub so that they become verified)
Former Member
4 years ago
Great to hear! Thank you 😀

Forum Discussion

GPG support? (like SSH)

Recent Discussions

Random (400) Bad Requests

Speed concerns

"op read" is pretty slow, ~700ms per invocation

connect server - connection refused

Revoked service accounts