From b2bce8e5a792f7715f9e0fa2792b7fea2cf27f01 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= <dev@felschr.com>
Date: Wed, 27 Mar 2024 17:45:12 +0100
Subject: [PATCH] docs(README): update instructions

---
 README.md | 78 +++++++++++++++++++------------------------------------
 1 file changed, 27 insertions(+), 51 deletions(-)

diff --git a/README.md b/README.md
index 08f583b..3d75452 100644
--- a/README.md
+++ b/README.md
@@ -1,11 +1,8 @@
-1. I have a GPG keypair in the same format as the one provided in `test-key.asc`. It is `ed25519`.
-2. That key was used to encrypt a file with [age encryption](https://github.com/FiloSottile/age) as shown below
-3. I want to decrypt that file, but only have a GPG secret key, as I couldn't
-   find out how to derive a SSH or age key from it.
+# gpg2age
 
-**GOAL**: Derive an age key from the provided GPG key that decrypt the file as
-shown below. A SSH key is also enough, since it can be used with `ssh-to-age` to
-derive the age key.
+Derive private ed25519 SSH key from private PGP key.
+
+GPG itself only supports exporting _public_ SSH keys and other tools don't work for ed25519 keys.
 
 ##### Notes:
 
@@ -13,60 +10,39 @@ derive the age key.
 - Work on `gnupg` was started for this feature, but never finished see this
   issue and commit: https://dev.gnupg.org/T6647
 
-## Example
+## Instructions
 
-Example key provided in `test-key.asc` to be imported. Use `--homedir` with
-`gpg` to set a temporary `.gnupg` directory
+First you need to export your PGP key from GPG:
 
 ```sh
-❯ gpg --homedir ./gnupg --import test-key.asc                                                                                                                                                                          impure ❄ ssh-to-age age
-gpg: WARNING: unsafe permissions on homedir '/home/pinpox/code/github.com/pinpox/gpg2age/./gnupg'
-gpg: key 76188CF30717B54E: public key "test (test) <test@test.com>" imported
-gpg: key 76188CF30717B54E: secret key imported
-gpg: Total number processed: 1
-gpg:               imported: 1
-gpg:       secret keys read: 1
-gpg:   secret keys imported: 1
-
-❯ gpg --homedir ./gnupg_testkey/ -K
-/home/pinpox/code/github.com/pinpox/gpg2age/./gnupg_testkey/pubring.kbx
------------------------------------------------------------------------
-sec   ed25519 2024-03-25 [C]
-      9FE4D484B69DB9F5C7AA208E76188CF30717B54E
-uid           [ultimate] test (test) <test@test.com>
-ssb   ed25519 2024-03-25 [S]
-ssb   cv25519 2024-03-25 [E]
-ssb   ed25519 2024-03-25 [A]
+❯ gpg2 --export-secret-keys --armor test@test.test >priv-gpg
 ```
 
-### Get age key and encrypt test file
+Then identify the public SSH key that was used to encrypt your secret.
+You can search for your GitHub username in: https://fluence-dao.s3.eu-west-1.amazonaws.com/metadata.json
+
+If you have multiple subkeys, usually it is the authenticate key highlighted with `[A]` in the output of:
 
 ```sh
-❯ gpg --homedir ./gnupg --export-ssh-key 9FE4D484B69DB9F5C7AA208E76188CF30717B54E
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICYvKXGcG4a19tTT0Rycbn+D0r/YlKltLJ9dY2gR/Fjx openpgp:0x47C9F3FF
+❯ gpg --list-secret-keys --with-keygrip
 ```
 
+### Derive private SSH key
+
 ```sh
-❯ gpg --homedir ./gnupg --export-ssh-key 9FE4D484B69DB9F5C7AA208E76188CF30717B54E | ssh-to-age                                                                                                                             impure ❄ ssh-to-age
-age18s8m9hvlrwvltgys4lafyyqe356ntc7e06t4kd2nccqm5amsaa2s878mju # saved as age-public-key
+❯ go run main.go
 ```
 
+It'll ask you for the path to your private PGP key, followed by choosing the key/subkey and if your PGP key is encrypted it'll ask for the passphrase.
+
+In the output, verify that the public SSH key printed matches the one in `metadata.json`.
+If it matches, the last part of the output it will print the matching private SSH key.
+You can save the key to a file and use how you want.
+
+### Example: Decrypt age files
+
+If you want to decrypt a file that was encryptd by `age` with your public SSH key, you can just use `age` as normal to decrypt the file using the SSH private key that we've got in the previous step:
+
 ```sh
-❯ age --encrypt -R age-public-key testfile.txt > testfile.txt.age
-```
-
-### Get secret age key
-
-```sh
-❯ go run main.go                                                                                                                                                                                                       impure ❄ ssh-to-age age
-AGE-SECRET-KEY-165W948VSG5QEM0RPEUX8T3K4YXJT2WF83C2GXQH8Q3Q0ZHCTH44SSV0H34 # saved as age-secret-key
-```
-
-### Try to decrypt
-```sh
-❯ age --decrypt --identity age-secret-key --output decrypted testfile.txt.age                                                                                                                                          impure ❄ ssh-to-age age
-age: error: no identity matched any of the recipients
-age: report unexpected or unhelpful errors at https://filippo.io/age/report
-```
-
-FAIL :(
+❯ age --decrypt --identity ./ssh-secret-key --output decrypted ./testfile.txt.age
+```
\ No newline at end of file