Skip to content

v2 breaking change and refactor#318

Open
smlx wants to merge 10 commits into
mainfrom
v2-refactor
Open

v2 breaking change and refactor#318
smlx wants to merge 10 commits into
mainfrom
v2-refactor

Conversation

@smlx
Copy link
Copy Markdown
Owner

@smlx smlx commented Jun 5, 2026
edited
Loading

Major refactor and breaking changes in no particular order:

  • Rework the way age keys/seeds work. Now piv-agent stores the seed file ID in a certificate extension. ML-KEM seeds, and therefore age identities, are 1:1 with slots.
  • Remove GPG / gpg-agent support entirely.
  • Remove zap in favour of slog.
  • Make notifications more intelligent by switching to a linux-only notification library.
  • Move from docsy to hugo-book for docs. Docsy is too heavyweight, requires constant maintenance, and the javascript breaks too often.
  • Various minor cleanups.

Fixes: #223
Fixes: #313

smlx added 10 commits May 26, 2026 14:53
@smlx
chore: refactor to avoid the need for the internal/mock package
ac52b5c
@smlx
feat: replace zap with slog for logging
e99656d
@smlx
feat: refactor notifications
717a357 
Replace beeep with a much simpler, linux-only notify package, and with
the new package implement notification closing after touch.

Implement a wait-for-device command that will cause piv-agent to wait
for a yubikey device to be plugged in before exiting. The user will be
notified and can optionally dismiss the notification to cancel and fall
back to the keyfile immedately

This gives a user a chance to plug in device before falling back to the
keyfile. This can be used in e.g. git's defaultKeyCommand script.

Also add some documentation.
@smlx
feat: migrate from docsy to hugo-book docs theme
6426e1c
@smlx
feat!: remove gpg-agent support
ec88f98 
* remove all support
* update documentation
@smlx
feat: modernise build
5b13ce3
@smlx
fix: buggy behaviour with multiple recipients
99f6a4b 
1. Previously the age handler would try to load a seed file during
   HandleIdentity. If it wasn't available it would return an error to
   age and decryption would fail completely. Fix this by moving seed
   loading to Unwrap().

2. In Unwrap, return errors wrapping age.ErrIncorrectIdentity. This
   allows age to continue trying the decryption with another identity.

3. Don't return early if a stanza doesn't match the identity. Instead,
   check _all_ the stanzas!
@smlx
fix: avoid multiple touch notifications
43bd70a 
Also move the seed fetch earlier out of the loop.
@smlx
feat: rework the way decrypting slots function
cad1490 
age identities are now 1:1 with slots. Seeds are generated and linked to
a slot on a 1:1 basis.
@smlx
feat: avoid breaking the passage store
6c3672e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Pop a notification and retry card loading loop if yubikey not present Dismiss notification when touch is detected

1 participant

@smlx