IdeaWell

Project ideas from Hacker News discussions.

Gpg.fail

Original Article

Hacker News Discussion

πŸ“ Discussion Summary (Click to expand)

1. GPG/PGP's Fundamental Design Flaws

GPG is criticized as a flawed "Swiss Army knife" with incoherent packet systems enabling exploits like signature confusion and malleability.
"tptacek: PGP's insane packet system, where a PGP message is a practically arbitrary stream of packets... It's a deep architectural flaw in PGP."
"cpach: GPG has been a lost cause for basically decades."
"akerl_: GPG’s issues aren’t cash or developer time. It’s fundamentally a bad design for cryptographic usage."

2. Shift to Specialized Alternatives

Users recommend purpose-built tools like SSH, minisign, age, and Sequoia over PGP's multi-purpose approach.
"tptacek: Everything is better than PGP... use the real tool designed for that task."
"arccy: ssh or minisign for signing, age for file encryption."
"singpolyma3: Sequoia for example has been doing a great job and implements the latest version of the standard."

3. Maintainer Wontfix Erodes Trust

Refusals to patch vulnerabilities, especially cleartext signatures, fuel distrust in GnuPG maintainers like Werner Koch.
"rurban: trust in Werner Koch is gone. Wontfix??"
"woodruffw: something that’s been 'considered harmful' for three decades should be deprecated."
"derleyici: Werner Koch from GnuPG recently... [posted on] cleartext-signatures" (noting limited response).

πŸš€ Project Ideas

GitSign Pro

Summary

  • A CLI tool and git plugin that replaces GPG for commit/tag signing using Ed25519/SSH or minisign, with seamless YubiKey/PIV/FIDO2 support including configurable touch policies and multi-key management.
  • Core value: Secure, low-friction git signing without PGP vulnerabilities or keyring complexity; "just works" UX better than raw SSH.

Details

Key Value
Target Audience Open-source maintainers, kernel devs, anyone signing git commits/tags
Core Feature Auto-detects hardware keys, signs with one command (gitsign sign), verifies inline; exports fingerprints for web publication
Tech Stack Rust (sequoia-pgp for compat if needed), libssh, pcsc-lite/nitrokey for hardware
Difficulty Medium
Monetization Hobby

Notes

  • "I certainly want to get rid of gpg from my life if I can... signing with SSH keys considered more secure now?" (oefrha); HN users praise SSH/minisign but lament YubiKey UX pains like touch requirements during rebases.
  • High utility for kernel/QEMU maintainers still using GPG; sparks migration discussions.

AgeVault Manager

Summary

  • Cross-platform CLI/GUI for age encryption with keyring-like features: discover/import public keys via fingerprints/URLs/DNS, multi-recipient encryption (age-vault enc --recipients user@domain), YubiKey/SSH key integration, printable backups.
  • Core value: Makes age viable for backups/email attachments without PGP footguns or manual key juggling.

Details

Key Value
Target Audience DevOps/sysadmins encrypting backups/files for teams; GPG migrants needing simple asymmetric encrypt/sign
Core Feature Key discovery from websites/DNSKEY, ephemeral recipients, audit logs; age-vault verify like gpg
Tech Stack Go (age core), TUI (bubbletea), yubikey-agent
Difficulty Medium
Monetization Revenue-ready: Freemium (basic free, enterprise key server sync $5/user/mo)

Notes

  • "I need an alternative to 'gpg --encrypt --armor --recipient '"; "age... no keyring... not suitable for large-scale public key management" (johnisgood); addresses enterprise "keyring at a company" needs (deknos).
  • Practical for backups; HN would debate key discovery security, driving engagement.

PGPExit Toolkit

Summary

  • Open-source suite for distros/projects to migrate off PGP: audits signatures, generates SSH/minisign/Sigstore equivalents, automates key migration/verification scripts, compatibility shims for apt/rpm/git.
  • Core value: Breaks ecosystem lock-in, enabling safe deprecation without breakage.

Details

Key Value
Target Audience Linux distros (Fedora/Debian), projects (Linux kernel, QEMU, RPM)
Core Feature pgpexit audit-repo scans/migrates; shim binaries (pgp-compat-sign calls minisign); migration guides/templates
Tech Stack Python (subprocess for tools), GitPython, rpm/dpkg bindings
Difficulty High
Monetization Hobby

Notes

  • "Why do high-profile projects... still use GPG?... staggering ecosystem failure. If GPG... lost cause... why haven't alternatives... produced?" (ghickPit); refs ongoing Debian/Fedora discussions.
  • Utility for distros; HN loves tooling for big migrations, potential for collaborative forks.

Read Later