Comment by alexpotato
Comment by alexpotato 17 hours ago
The author of AGE has a great point in the below blog post [0]:
If you use something like SOPS or just check age secrets into a git repository next to source code, you need an authentication story for the whole repository. Having authentication for the secrets will do nothing if the attacker can change the source code that decrypts and uses them.
That story can simply be “we trust GitHub” like most projects. Encrypting secrets with age will keep them confidential even if the project is Open Source, and anyone wanting to replace them will have to make a PR even if they can generate a new valid age file.