Can I encrypt a secrets file to a teammate?

Yes. Type their GitHub username and AgePony pulls their SSH public keys, then encrypts to them. They decrypt with the matching key in AgePony or with the age CLI.

Does AgePony sign releases the way GitHub expects?

AgePony produces SSHSIG signatures, the same format as ssh-keygen -Y sign. That is the SSH-key signing path, verifiable with ssh-keygen -Y verify. It is not OpenPGP commit signing; for that, see PGPony.

Is the output compatible with our CI?

Yes. Files are standard age and signatures are standard SSHSIG, so anything your pipeline does with the age and ssh-keygen tools works on what AgePony produces.

For developers

age for developers.

You already have SSH keys and a GitHub account. AgePony turns both into an encryption and signing setup you can drive from your phone — and everything it produces is exactly what the age and ssh-keygen command lines expect.

Encrypt secrets Sign releases Verify downloads

The workflow this addresses.

You need to get a secrets file to a teammate, or sign a release so people know it's really from you, or check that a download wasn't tampered with. None of that should require sitting at your main machine. With your SSH key already on your phone, AgePony covers all three.

What age does for you here, and what it doesn't.

gives you

Encrypt + sign with keys you have

Encrypt a file to anyone whose SSH key is on GitHub by typing their username. Sign a file with your own SSH key or a tapped security key, producing a standard SSHSIG. Verify signatures and decrypt with the matching key, all on the phone.

does not give you

Not in scope

This isn't OpenPGP commit signing or the GitHub "Verified" badge that comes from GPG/SSH commit signatures configured in git. AgePony signs files, not git commits. It also doesn't manage CI secrets stores; it produces the encrypted file you'd feed into one.

A concrete workflow.

A teammate needs the staging .env. In AgePony, add them as a recipient by typing their GitHub username — AgePony fetches their SSH keys.
Encrypt the .env to them. Out comes a .env.age only they can open.
Send it however you like — Slack, email, a shared drive. The ciphertext is safe in transit and at rest.
They decrypt with their key in AgePony, or run age -d -i ~/.ssh/id_ed25519 on their machine. Same file either way.
Shipping a release? Sign the artifact in AgePony and publish the .sig next to it. Anyone can verify with ssh-keygen -Y verify.

Is AgePony right for your dev workflow?

yes if

You and your team already use SSH keys.
You want to encrypt secrets to a teammate without setting up new key infrastructure.
You sign releases and want it possible from a phone.
You like that the output is plain age and SSHSIG.

not the right tool if

You need OpenPGP-based git commit signing — use PGPony or desktop GPG.
You need a managed secrets store with access control and rotation.
You want encrypted email to teammates — that's OpenPGP's territory.

Related material.

Start with encrypting to a GitHub username, then signing a file with your SSH key. If you need OpenPGP instead, AgePony vs PGPony lays out the choice.

Get AgePony

Free file encryption for iOS and Android. No accounts, no tracking, no servers.

Download on the App Store Get it on Google Play