>Here's why I like SSH signatures:
>* It's not PGP.
The most important reason people use the OpenPGP message format is because it is a well accepted standard. Sure the cryptography is not new and fun but it is secure. If you sign something with OpenPGP then you can be sure that those signatures are verifiable on any platform by anyone. The OpenPGP standard has provisions to ensure that the signatures are from a particular entity. This proposal suggests that Github could be treated as a trusted third party. If that is the case then you don't need signatures at all.
Obligatory "The PGP Problem" rebuttal:
As people can discover from the search bar on this site, your argument against that blog post (which I co-wrote) includes the notion that authenticated encryption is bad, because unauthenticated encryption creates opportunities for data recovery. Restating for the record: I agree in part; where we part company is that I think creating opportunities for data recovery for adversaries is a bad idea.
At any rate: this comment thread is about signing with SSH keys, not your idiosyncratic response to my blog post.
I don't think they're being idiosyncratic. You start your post off with a paragraph that complains about how bad PGP is. Of course people will respond to that part.
I don't think PGP is that bad either. It's pretty standard asymmetric crypto. The implementations and especially the key sharing leaves a lot to be desired but for personal use I like it. And I love that there's lots of hardware key support. This is why I use it.
I personally use my hardware OpenPGP keys also for SSH, on yubikeys and OpenPGP smartcards. I also use those for encrypting and signing data. So I'm already doing something similar to start you're saying, just the other way around.
Having my keys on a hardware token is a must-have for me and I wonder if that's possible with your method. I also prefer having a token that requires a hardware input for each use like the Yubikeys can. You can set them up to require a touch for every signature or authentication. This stops a compromised server you log in to from milking your SSH agent.
But how would I store the keys in hardware if not PGP? I tried PKCS11 modules with different cards before but the software chain with middleware is pretty terrible. PGP's is pretty sane (gpg --card-edit is much more user friendly than what was offered by the other more expensive cards I used!)
And I don't like Fido2 either for this because it can't be used for content encryption/signing (which is what your blog post about)
So, I'm pretty open to doing what you're doing but my requirement for hardware key storage makes it pretty hard I think.
It would be nice to hear your thoughts on this, how this could work with hardware-backed keys.
You can use age's AEAD encryption with Yubikeys. Yubikeys can do ECDHE in PIV mode.
I wrote https://github.com/tv42/yubage as a subprocess plugin to https://github.com/str4d/rage (and hopefully https://github.com/FiloSottile/age once they think plugins are stable in enough to go in the reference implementation). The rage author also wrote their https://github.com/str4d/age-plugin-yubikey