v1.1.0 release candidate #424
Replies: 3 comments 3 replies
-
I'm pretty excited about plugin support! Thanks for your hard work on Age. :) |
Beta Was this translation helpful? Give feedback.
-
I'm using age as a lib and right now we can use |
Beta Was this translation helpful? Give feedback.
-
Plugin cannot be placed in same folder as the age.exe executable (windows), is this intended? age: error: failed to wrap key for recipient #0: yubikey plugin: couldn't start plugin: age-plugin-yubikey resolves to executable in current directory (.\age-plugin-yubikey.exe) |
Beta Was this translation helpful? Give feedback.
-
age is a simple, modern and secure file encryption tool, format, and Go library. It features small explicit keys, no config options, and UNIX-style composability.
v1.1.0-rc.1 is the first release candidate of v1.1.0. Users are encourage to test the new release and especially the new features listed below. Issue or UX reports in advance of the final release are greatly appreciated.
📃 In case you missed it: a new, more polished version of the age format specification has been published.
Plugin support
The age CLI now supports plugins, such as age-plugin-yubikey. To test it on macOS with Homebrew:
Plugins must be loaded explicitly by using their respective recipient or identity, and are not tied to a specific header stanza type. This means plugins can be used not only to support new recipient types such as PIV tokens (i.e. YubiKeys) or cloud KMS solutions, but also to produce passphrase-encrypted files that can be decrypted without plugins, to store age native private keys on secure elements, or even for agent functionality or to proxy decryption operations to remote machines.
Plugins operate over a simple textual stdin/stdout protocol (C2SP/C2SP#5). Developers are encouraged to reach out with plugin ideas and announcements. Read more in the relevant man page section.
CLI breaking changes
If
-i
is used, passphrase-encrypted files are now rejected. Previously, a passphrase-encrypted file was auto-detected and the identity file was ignored. This could lead to unexpected behavior, such as a script blocking for user interaction, based on potentially untrusted input files. Now,age -d
must be invoked without-i
arguments to decrypt passphrase-encrypted files. A helpful error is printed otherwise. This should not break any automated system as passphrase decryption was always interactive.Empty final chunks are now rejected. If a payload was a multiple of 64KiB long, there were two valid encryptions for it: with a "full" last chunk encrypting 64KiB, or with an additional "empty" chunk encrypting 0 bytes. age, rage, and all other known implementations only ever produced the former. (Note that age will forever decrypt files it generated.) The latter is now rejected. The specification is being updated (C2SP/C2SP#13) and test cases will be provided.
Minor changes
If
/dev/tty
is present but can't be opened, age will now fallback to trying to treat stdin as a terminal as if/dev/tty
wasn't present.Windows binary releases are now signed.
Documentation and error messages were improved.
Learn more
Learn more by reading the README, the age(1) man page, the Go API reference, the format specification, or the full changelog.
Watch the repository or follow @FiloSottile on Twitter to be notified of new releases.
This discussion was created from the release v1.1.0 release candidate.
Beta Was this translation helpful? Give feedback.
All reactions