UX: Handle Multiple SSH Keys/Recipients in Single Flag Input

[mohammed90]

What were you trying to do

Use age to encrypt a file with multiple SSH recipients in a single flag-passed -r, --recipient value.

What happened

(didn't "happened", rather cannot happen)

I'm trying to encrypt a file with multiple SSH recipients by grabbing their public SSH keys set on Github. The command is:

age -r "$(curl https://github.com/<username>.keys)" -o encrypted-file.txt to-encrypt.txt

Currently, the -r,--recipient flag can be used multiple times to pass multiple keys. However, it doesn't expect a single passing to contain multiple keys, and discards the rest returned from ssh.ParseAuthorizedKey (4th-positioned return value):

age/internal/age/ssh.go

Lines 150 to 152 in bbab440

	func ParseSSHRecipient(s string) (Recipient, error) {
	pubKey, _, _, _, err := ssh.ParseAuthorizedKey([]byte(s))
	if err != nil {

The ssh.ParseAuthorizedKey func will look for the first \n, split the input at the point, and return the rest:

https://github.com/golang/crypto/blob/53104e6ec876ad4e22ad27cce588b01392043c1b/ssh/keys.go#L178-L180

Without -r,--recipient accepting multiple SSH keys at once, user will either have to download the keys (i.e. wget https://github.com/<username>.keys), split them into multiple files, and pass -r as many times as the number of files resulting from splitting <username.keys>; or they will have to use some clever shell tricks to split them and pass multiple -r in a one-liner.

[FiloSottile]

This was implemented as -R/--recipients-file!