A bunch of utilities which can handle "signing" with some sort of a key isn't a solution. That's not solving the trust problem, which is the actual hard part of GPG.
GPG isn't hard to use. It has quirks, but it's not hard - programmers should be able to figure it out.
Trust management is hard and no one has solved trust management well. It doesn't make one iota of difference how file signing is done, what matters is whether it can be done in a way which makes the scope, degree and path of trust clear in a way the user can action.
Hence my question: because the way we solve "trust" on the internet is "trust a megacorp". The global HTTPS system is based on whichever CAs are shipped in our browsers. And those CAs create global trust - they can issue certificates which say that anything, anywhere is totally who they say they are. Just the Root Certificate Authority process (which isn't bad, but it is just "hey guys, totally trust us").
> GPG isn't hard to use. It has quirks, but it's not hard - programmers should be able to figure it out.
I've been using GPG for roughly a decade, and I don't think I can consistently reproduce the basic commands I need from memory. I've lost track of the number of times I've corrupted my TTY by forgetting `--armor`, much less the number of times GPG has helpfully "guessed what I mean" in the wrong way.
At one point, I had at least 3 different copies of my key bundle on different keyservers. I wouldn't be able to tell you which one is the right one; I can count on a single hand the number of emails I've received encrypted to the right subkey (and on two hands the number of emails encrypted to any key of mine).
> Just the Root Certificate Authority process (which isn't bad, but it is just "hey guys, totally trust us").
This isn't true in a useful sense: the CA/B standards are pretty transparent, and the Web PKI mandates transparency (through things like CT) in a publicly auditable way. You can see (and verify) exactly what every CA is doing in the Web PKI, at all times.
I don't think PGP really solves any of these problems either, not for the vast majority of users outside of a fairly small group of PGP enthusiasts. PGP has a complex model and perhaps that's actually its weakest point – going "back to basics" would probably be a good thing.
In the meanwhile, there's lots of use cases that could benefit from easier and more straight-forward signing. I had simply given up on signing anything in git because I just couldn't get it to work (it worked, and then it didn't, and then I fixed it with some effort, and then it broke again in obscure ways, and then I gave up) until git supported OpenSSH signing, which I've been using since the day it was committed without problems.
GPG isn't hard to use. It has quirks, but it's not hard - programmers should be able to figure it out.
Trust management is hard and no one has solved trust management well. It doesn't make one iota of difference how file signing is done, what matters is whether it can be done in a way which makes the scope, degree and path of trust clear in a way the user can action.
Hence my question: because the way we solve "trust" on the internet is "trust a megacorp". The global HTTPS system is based on whichever CAs are shipped in our browsers. And those CAs create global trust - they can issue certificates which say that anything, anywhere is totally who they say they are. Just the Root Certificate Authority process (which isn't bad, but it is just "hey guys, totally trust us").