FoxDen/tapemgr

Fork 0

fix(deps): update module filippo.io/age to v1.3.1 #31

Merged

Doridian merged 1 commit from renovate/filippo.io-age-1.x into main

2025-12-28 10:59:48 -08:00

MaidFox commented

2025-12-27 14:54:03 -08:00

Member

This PR contains the following updates:

Package	Change	Age	Confidence
filippo.io/age	`v1.2.1` → `v1.3.1`

Release Notes

FiloSottile/age (filippo.io/age)

`v1.3.1`

Compare Source

v1.3.1 is a minor release to restore version injection from downstream package build processes.

See the v1.3.0 release notes for an overview of recent additions.

`v1.3.0`: age v1.3.0: post-quantum (and more)!

Compare Source

The age logo, a wireframe of St. Peters dome in Rome, with the text: age, file encryption

Exactly six years after the first age beta release, v1.3.0 brings post-quantum resistance to age, along with a couple long-requested features, built-in support for recipients compatible with hardware plugins, I/O API improvements, and many usability enhancements.

Post-quantum recipients

age now has native post-quantum recipients based on HPKE with a hybrid ML-KEM-768 KEM. The recipients start with age1pq1..., and the identities start with AGE-SECRET-KEY-PQ-1....

To generate a post-quantum keypair:

$ age-keygen -pq

If you have your own age implementation, C2SP has the specification, and CCTV has test vectors for the new hybrid recipient types.

(If you are using an older age client, an optional plugin is available that provides out-of-the-box support for encryption to hybrid recipients. Hybrid identities can be converted to work with the plugin with age-plugin-pq -identity.)

New I/O APIs

The new DecryptReaderAt API implements seeking decryption, which can be used with zip.NewReader.

The new EncryptReader API implements pull-based encryption by wrapping an io.Reader, as opposed to wrapping an io.Writer like Encrypt.

age-inspect

The new age-inspect(1) tool presents the metadata of an age file without decrypting it.

hello.age is an age file, version "age-encryption.org/v1".

This file is ASCII-armored.

This file is encrypted to the following recipient types:
  - "mlkem768x25519"

This file uses post-quantum encryption.

Size breakdown (assuming it decrypts successfully):

    Header                      1627 bytes
    Armor overhead              1350 bytes
    Encryption overhead           32 bytes
    Payload                     1959 bytes
                        -------------------
    Total                       4968 bytes

Tip: for machine-readable output, use --json.

Built-in recipients compatible with hardware plugins

age(1) now supports encrypting to age1tag1... and age1tagpq1... recipients, which are compatible with hardware plugins. The latest or upcoming versions of age-plugin-yubikey, age-plugin-tpm, and age-plugin-se will support producing these recipients for existing and new keys, and decrypting files encrypted to them.

The filippo.io/age/tag package provides an implementation, including a Recipient.Tag method useful to plugin implementations.

C2SP has the specification for these recipient types.

(For users that are using older age clients, there are compatiblity plugins that can be shipped along with the hardware plugins.)

Non-interactive passphrase input

We have long resisted implementing non-interactive CLI passphrase input, because most use cases are more securely and/or efficiently served by native keys or passphrase-encrypted identities. However, there are some residual use cases.

This is now available through the batchpass plugin, but we invite everyone to read the warning in the man page and help text.

Go framework for implementing plugins

The filippo.io/age/plugin package now provides a framework for exposing age.Recipient and age.Identity implementations as standalone CLI plugins.

For example, this is the entire age-plugin-tagpq compatibility implementation:

package main

import (
	"log"
	"os"

	"filippo.io/age"
	"filippo.io/age/plugin"
	"filippo.io/age/tag"
)

func main() {
	p, err := plugin.New("tagpq")
	if err != nil {
		log.Fatal(err)
	}
	p.HandleRecipient(func(b []byte) (age.Recipient, error) {
		return tag.NewHybridRecipient(b)
	})
	os.Exit(p.Main())
}

Moreover, the new plugin.NewTerminalUI function provides a ready-to-use terminal-based ClientUI implementation for the existing plugin client API.

Armor fixes

The CLI now allows some leading whitespace before the armor header, as the API always did. The API and CLI now reject empty lines in armored data, as required by the spec.

Detached headers

The new set of APIs ExtractHeader, DecryptHeader, and NewInjectedFileKeyIdentity allow working with detached age headers, where the file key is unwrapped separately from the actual file decryption. This can be useful for efficiency or to delegate unwrapping without exposing the file contents.

Usability improvements

The CLI will now refuse to output decrypted binary data to the terminal. (We did this before attending the gpg.fail talk!)

Native identities are now tried first when decrypting through both the CLI and the API, since they can't require interaction. Order is otherwise preserved.

NoIdentityMatchError now exposes the stanza types of the header, unwraps to the errors returned by the Identity.Unwrap method calls, and prints the underlying error if only one identity was provided.

Virtual terminal processing is now enabled on Windows terminals that don't enable it by default, so that ANSI escape sequences work as expected.

Many improved and more proactively helpful error messages.

The release artifacts now include a source tarball with vendored dependencies.

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [filippo.io/age](https://github.com/FiloSottile/age) | `v1.2.1` → `v1.3.1` | ![age](https://developer.mend.io/api/mc/badges/age/go/filippo.io%2fage/v1.3.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/go/filippo.io%2fage/v1.2.1/v1.3.1?slim=true) | --- ### Release Notes <details> <summary>FiloSottile/age (filippo.io/age)</summary> ### [`v1.3.1`](https://github.com/FiloSottile/age/releases/tag/v1.3.1) [Compare Source](https://github.com/FiloSottile/age/compare/v1.3.0...v1.3.1) v1.3.1 is a minor release to restore version injection from downstream package build processes. See [the v1.3.0 release notes](https://github.com/FiloSottile/age/releases/tag/v1.3.0) for an overview of recent additions. ### [`v1.3.0`](https://github.com/FiloSottile/age/releases/tag/v1.3.0): age v1.3.0: post-quantum (and more)! [Compare Source](https://github.com/FiloSottile/age/compare/v1.2.1...v1.3.0) <p align="center"><img alt="The age logo, a wireframe of St. Peters dome in Rome, with the text: age, file encryption" width="600" src="https://user-images.githubusercontent.com/1225294/132245842-fda4da6a-1cea-4738-a3da-2dc860861c98.png"></p> Exactly six years after [the first age beta release](https://github.com/FiloSottile/age/releases/tag/v1.0.0-beta1), v1.3.0 brings post-quantum resistance to age, along with a couple long-requested features, built-in support for recipients compatible with hardware plugins, I/O API improvements, and many usability enhancements. ##### Post-quantum recipients age now has native post-quantum recipients based on HPKE with a hybrid ML-KEM-768 KEM. The recipients start with `age1pq1...`, and the identities start with `AGE-SECRET-KEY-PQ-1...`. To generate a post-quantum keypair: ``` $ age-keygen -pq ``` If you have your own age implementation, C2SP has [the specification](http://c2sp.org/age#the-mlkem768-x25519-ie-x-wing-hybrid-post-quantum-recipient-type), and CCTV has [test vectors](https://github.com/C2SP/CCTV/tree/main/age) for the new hybrid recipient types. (If you are using an older age client, [an optional plugin](https://github.com/FiloSottile/age/tree/main/extra/age-plugin-pq) is available that provides out-of-the-box support for encryption to hybrid recipients. Hybrid identities can be converted to work with the plugin with `age-plugin-pq -identity`.) ##### New I/O APIs The new [DecryptReaderAt](https://filippo.io/age#DecryptReaderAt) API implements seeking decryption, which can be used with [zip.NewReader](https://pkg.go.dev/archive/zip#NewReader). The new [EncryptReader](https://filippo.io/age#EncryptReader) API implements pull-based encryption by wrapping an io.Reader, as opposed to wrapping an io.Writer like [Encrypt](https://filippo.io/age#Encrypt). ##### age-inspect The new [age-inspect(1) tool](https://htmlpreview.github.io/?https://github.com/FiloSottile/age/blob/main/doc/age-inspect.1.html) presents the metadata of an age file without decrypting it. ``` hello.age is an age file, version "age-encryption.org/v1". This file is ASCII-armored. This file is encrypted to the following recipient types: - "mlkem768x25519" This file uses post-quantum encryption. Size breakdown (assuming it decrypts successfully): Header 1627 bytes Armor overhead 1350 bytes Encryption overhead 32 bytes Payload 1959 bytes ------------------- Total 4968 bytes Tip: for machine-readable output, use --json. ``` ##### Built-in recipients compatible with hardware plugins age(1) now supports encrypting to `age1tag1...` and `age1tagpq1...` recipients, which are compatible with hardware plugins. The latest or upcoming versions of age-plugin-yubikey, age-plugin-tpm, and age-plugin-se will support producing these recipients for existing and new keys, and decrypting files encrypted to them. The [filippo.io/age/tag](https://filippo.io/age/tag) package provides an implementation, including a [Recipient.Tag](https://filippo.io/age/tag#Recipient.Tag) method useful to plugin implementations. C2SP has [the specification](https://c2sp.org/age#the-tagged-recipient-types) for these recipient types. (For users that are using older age clients, there are [compatiblity plugins](https://github.com/FiloSottile/age/tree/main/extra) that can be shipped along with the hardware plugins.) ##### Non-interactive passphrase input We have long resisted implementing non-interactive CLI passphrase input, because most use cases are more securely and/or efficiently served by native keys or passphrase-encrypted identities. However, there are some residual use cases. This is now available through the [batchpass plugin](https://htmlpreview.github.io/?https://github.com/FiloSottile/age/blob/main/doc/age-plugin-batchpass.1.html), but we invite everyone to read the warning in the man page and help text. ##### Go framework for implementing plugins The [filippo.io/age/plugin](https://filippo.io/age/plugin) package now provides a framework for exposing [age.Recipient](https://filippo.io/age#Recipient) and [age.Identity](https://filippo.io/age#Identity) implementations as standalone CLI plugins. For example, this is the entire age-plugin-tagpq compatibility implementation: ```go package main import ( "log" "os" "filippo.io/age" "filippo.io/age/plugin" "filippo.io/age/tag" ) func main() { p, err := plugin.New("tagpq") if err != nil { log.Fatal(err) } p.HandleRecipient(func(b []byte) (age.Recipient, error) { return tag.NewHybridRecipient(b) }) os.Exit(p.Main()) } ``` Moreover, the new [plugin.NewTerminalUI](https://filippo.io/age/plugin#NewTerminalUI) function provides a ready-to-use terminal-based [ClientUI](https://filippo.io/age#ClientUI) implementation for the existing plugin client API. ##### Armor fixes The CLI now allows some leading whitespace before the armor header, as the API always did. The API and CLI now reject empty lines in armored data, as required by the spec. ##### Detached headers The new set of APIs [ExtractHeader](https://filippo.io/age#ExtractHeader), [DecryptHeader](https://filippo.io/age#DecryptHeader), and [NewInjectedFileKeyIdentity](https://filippo.io/age#NewInjectedFileKeyIdentity) allow working with detached age headers, where the file key is unwrapped separately from the actual file decryption. This can be useful for efficiency or to delegate unwrapping without exposing the file contents. ##### Usability improvements The CLI will now refuse to output decrypted binary data to the terminal. (We did this before attending the [gpg.fail](https://gpg.fail/) talk!) Native identities are now tried first when decrypting through both the CLI and the API, since they can't require interaction. Order is otherwise preserved. [NoIdentityMatchError](https://filippo.io/age#NoIdentityMatchError) now exposes the stanza types of the header, unwraps to the errors returned by the [Identity.Unwrap](https://filippo.io/age#Identity.Unwrap) method calls, and prints the underlying error if only one identity was provided. Virtual terminal processing is now enabled on Windows terminals that don't enable it by default, so that ANSI escape sequences work as expected. Many improved and more proactively helpful error messages. The release artifacts now include a source tarball with vendored dependencies. </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).

MaidFox added 1 commit

2025-12-27 14:54:03 -08:00