Switch the libs to now external ones

2024-12-14 11:57:52 +00:00 · 2021-09-01 13:32:03 +02:00 · 2021-09-01 13:32:03 +02:00 · f636296aff
commit f636296aff
parent 6c916c1f57
12 changed files with 22 additions and 474 deletions
--- a/README.md
+++ b/README.md
@ -204,7 +204,7 @@ $ ssh-keygen -t ed25519

 Converting the public key to the age format works like this:
 ```console
-$ nix run -f default.nix ssh-pubkey-to-age -c sh -c 'ssh-add -L | ssh-pubkey-to-age'
+$ nix-shell -p ssh-pubkey-to-age --run "ssh-add -L | ssh-pubkey-to-age"
 ```

 Ssh public key files may also be piped into the `ssh-pubkey-to-age` tool.
@ -212,7 +212,7 @@ Ssh public key files may also be piped into the `ssh-pubkey-to-age` tool.
 Finally, you need to convert your private key to the age format:
 ```console
 $ mkdir -p ~/.config/sops
-$ nix run -f default.nix ssh-privkey-to-age -c ssh-privkey-to-age ~/.ssh/id_ed25519 > ~/.config/sops/keys.txt
+$ nix-shell -p ssh-privkey-to-age --run "ssh-privkey-to-age ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt"
 ```

 ### 3a. Get a PGP Public key for your machine
@ -252,8 +252,8 @@ If you prefer having a separate GnuPG key, see [Use with GnuPG instead of ssh ke
 The `ssh-pubkey-to-age` tool is used to convert any ssh public key to the age format.
 This way you can convert any key:
 ```console
-$ nix run -f default.nix ssh-pubkey-to-age -c sh -c 'ssh-keyscan my-server.com | ssh-pubkey-to-age'
-$ nix run -f default.nix ssh-pubkey-to-age -c sh -c 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-pubkey-to-age'
+$ nix-shell -p ssh-pubkey-to-age --run 'ssh-keyscan my-server.com | ssh-pubkey-to-age'
+$ nix-shell -p ssh-pubkey-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-pubkey-to-age'
 ```

 ### 4. Create a sops file
--- a/default.nix
+++ b/default.nix
@ -1,5 +1,5 @@
 { pkgs ? import <nixpkgs> {} }: let
-  vendorSha256 = "sha256:1bizqlj56lka37gbvm37p3yifn7w2z9kfhv486gv40wknzqclq12";
+  vendorSha256 = "sha256:145vmy70mkbciy8mr92nz6w0rwr83884wwwjy4wa587c6wkgs3w2";

  sops-install-secrets = pkgs.callPackage ./pkgs/sops-install-secrets {
    inherit vendorSha256;
@ -11,8 +11,6 @@ in rec {
    Also see https://github.com/Mic92/sops-nix/issues/98
  '' pkgs.callPackage ./pkgs/sops-pgp-hook { };
  sops-import-keys-hook = pkgs.callPackage ./pkgs/sops-import-keys-hook { };
-  ssh-pubkey-to-age = pkgs.callPackage ./pkgs/ssh-pubkey-to-age { inherit vendorSha256; };
-  ssh-privkey-to-age = pkgs.callPackage ./pkgs/ssh-privkey-to-age { inherit vendorSha256; };
  inherit sops-install-secrets;

  # backwards compatibility
--- a/go.mod
+++ b/go.mod
@ -3,12 +3,12 @@ module github.com/Mic92/sops-nix
 go 1.14

 require (
-	filippo.io/age v1.0.0-rc.3
+	github.com/Mic92/ssh-to-age v0.0.0-20210829164312-1fe15380abe4
 	github.com/ProtonMail/go-crypto v0.0.0-20210707164159-52430bf6b52c
 	github.com/mozilla-services/yaml v0.0.0-20191106225358-5c216288813c
 	go.mozilla.org/sops/v3 v3.7.1
-	golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2
-	golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43
+	golang.org/x/crypto v0.0.0-20210817164053-32db794688a5
+	golang.org/x/sys v0.0.0-20210831042530-f4d43177bf5e
 )

 // see https://github.com/mozilla/sops/pull/925
--- a/go.sum
+++ b/go.sum
@ -9,6 +9,8 @@ filippo.io/age v1.0.0-rc.3 h1:8JjuJ5ffGKDmC4SS0zoyQxZROZX75so768b7AjulKLw=
 filippo.io/age v1.0.0-rc.3/go.mod h1:UjINLBMeA60aGZkHCGsmDzKcaXoTTzpvrqQM+Vo3YHU=
 filippo.io/edwards25519 v1.0.0-alpha.2/go.mod h1:X+pm78QAUPtFLi1z9PYIlS/bdDnvbCOGKtZ+ACWEf7o=
 filippo.io/edwards25519 v1.0.0-beta.3/go.mod h1:X+pm78QAUPtFLi1z9PYIlS/bdDnvbCOGKtZ+ACWEf7o=
+filippo.io/edwards25519 v1.0.0-rc.1 h1:m0VOOB23frXZvAOK44usCgLWvtsxIoMCTBGJZlpmGfU=
+filippo.io/edwards25519 v1.0.0-rc.1/go.mod h1:N1IkdkCkiLB6tki+MYJoSx2JTY9NUlxZE7eHn5EwJns=
 github.com/Azure/azure-sdk-for-go v31.2.0+incompatible h1:kZFnTLmdQYNGfakatSivKHUfUnDZhqNdchHD4oIhp5k=
 github.com/Azure/azure-sdk-for-go v31.2.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
 github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 h1:w+iIsaOQNcT7OZ575w+acHgRric5iCyQh+xv+KJ4HB8=
@ -41,6 +43,8 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/Mic92/sops/v3 v3.7.2-0.20210829155005-a7cbb9ffe599 h1:3UXsFmgei0TO2rwvIpW0EQNVJi4SnB3V3GgC/TGndzE=
 github.com/Mic92/sops/v3 v3.7.2-0.20210829155005-a7cbb9ffe599/go.mod h1:n1KOOXQUp7PbUIYr0yEExC6RWv2hjvQKLNufdWYLNQg=
+github.com/Mic92/ssh-to-age v0.0.0-20210829164312-1fe15380abe4 h1:PRxM012OHgeUA3yH/FHbyl/q7ep0l1w7t+haJTw6Ozs=
+github.com/Mic92/ssh-to-age v0.0.0-20210829164312-1fe15380abe4/go.mod h1:Y8QV5VlnhcBamWQHRdVNiqSuip5CDtJdmHxwQvHiXWs=
 github.com/Microsoft/go-winio v0.4.14 h1:+hMXMk01us9KgxGb7ftKQt2Xpf5hH/yky+TDA+qxleU=
 github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA=
 github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 h1:TngWCqHvy9oXAN6lEVMRuU21PR1EtLVZJmdB18Gu3Rw=
@ -276,8 +280,9 @@ golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
-golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2 h1:It14KIkyBFYkHkwZ7k45minvA9aorojkyjGk9KJ5B/w=
 golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
+golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 h1:HWj/xjIHfjYU5nVXpTM0s39J9CbLn7Cc5a7IC5rwsMQ=
+golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
@ -333,8 +338,11 @@ golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43 h1:SgQ6LNaYJU0JIuEHv9+s6EbhSCwYeAf5Yvj6lpYlqAE=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210831042530-f4d43177bf5e h1:XMgFehsDnnLGtjvjOfqWSUzt0alpTR1RSEuznObga2c=
+golang.org/x/sys v0.0.0-20210831042530-f4d43177bf5e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
--- a/pkgs/bech32/bech32.go
+++ b/pkgs/bech32/bech32.go
@ -1,179 +0,0 @@
-// Copyright (c) 2017 Takatoshi Nakagawa
-// Copyright (c) 2019 Google LLC
-//
-// Permission is hereby granted, free of charge, to any person obtaining a copy
-// of this software and associated documentation files (the "Software"), to deal
-// in the Software without restriction, including without limitation the rights
-// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-// copies of the Software, and to permit persons to whom the Software is
-// furnished to do so, subject to the following conditions:
-//
-// The above copyright notice and this permission notice shall be included in
-// all copies or substantial portions of the Software.
-//
-// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-// THE SOFTWARE.
-
-// Package bech32 is a modified version of the reference implementation of BIP173.
-package bech32
-
-import (
-	"fmt"
-	"strings"
-)
-
-var charset = "qpzry9x8gf2tvdw0s3jn54khce6mua7l"
-
-var generator = []uint32{0x3b6a57b2, 0x26508e6d, 0x1ea119fa, 0x3d4233dd, 0x2a1462b3}
-
-func polymod(values []byte) uint32 {
-	chk := uint32(1)
-	for _, v := range values {
-		top := chk >> 25
-		chk = (chk & 0x1ffffff) << 5
-		chk = chk ^ uint32(v)
-		for i := 0; i < 5; i++ {
-			bit := top >> i & 1
-			if bit == 1 {
-				chk ^= generator[i]
-			}
-		}
-	}
-	return chk
-}
-
-func hrpExpand(hrp string) []byte {
-	h := []byte(strings.ToLower(hrp))
-	var ret []byte
-	for _, c := range h {
-		ret = append(ret, c>>5)
-	}
-	ret = append(ret, 0)
-	for _, c := range h {
-		ret = append(ret, c&31)
-	}
-	return ret
-}
-
-func verifyChecksum(hrp string, data []byte) bool {
-	return polymod(append(hrpExpand(hrp), data...)) == 1
-}
-
-func createChecksum(hrp string, data []byte) []byte {
-	values := append(hrpExpand(hrp), data...)
-	values = append(values, []byte{0, 0, 0, 0, 0, 0}...)
-	mod := polymod(values) ^ 1
-	ret := make([]byte, 6)
-	for p := range ret {
-		shift := 5 * (5 - p)
-		ret[p] = byte(mod>>shift) & 31
-	}
-	return ret
-}
-
-func convertBits(data []byte, frombits, tobits byte, pad bool) ([]byte, error) {
-	var ret []byte
-	acc := uint32(0)
-	bits := byte(0)
-	maxv := byte(1<<tobits - 1)
-	for idx, value := range data {
-		if value>>frombits != 0 {
-			return nil, fmt.Errorf("invalid data range: data[%d]=%d (frombits=%d)", idx, value, frombits)
-		}
-		acc = acc<<frombits | uint32(value)
-		bits += frombits
-		for bits >= tobits {
-			bits -= tobits
-			ret = append(ret, byte(acc>>bits)&maxv)
-		}
-	}
-	if pad {
-		if bits > 0 {
-			ret = append(ret, byte(acc<<(tobits-bits))&maxv)
-		}
-	} else if bits >= frombits {
-		return nil, fmt.Errorf("illegal zero padding")
-	} else if byte(acc<<(tobits-bits))&maxv != 0 {
-		return nil, fmt.Errorf("non-zero padding")
-	}
-	return ret, nil
-}
-
-// Encode encodes the HRP and a bytes slice to Bech32. If the HRP is uppercase,
-// the output will be uppercase.
-func Encode(hrp string, data []byte) (string, error) {
-	values, err := convertBits(data, 8, 5, true)
-	if err != nil {
-		return "", err
-	}
-	if len(hrp)+len(values)+7 > 90 {
-		return "", fmt.Errorf("too long: hrp length=%d, data length=%d", len(hrp), len(values))
-	}
-	if len(hrp) < 1 {
-		return "", fmt.Errorf("invalid HRP: %q", hrp)
-	}
-	for p, c := range hrp {
-		if c < 33 || c > 126 {
-			return "", fmt.Errorf("invalid HRP character: hrp[%d]=%d", p, c)
-		}
-	}
-	if strings.ToUpper(hrp) != hrp && strings.ToLower(hrp) != hrp {
-		return "", fmt.Errorf("mixed case HRP: %q", hrp)
-	}
-	lower := strings.ToLower(hrp) == hrp
-	hrp = strings.ToLower(hrp)
-	var ret strings.Builder
-	ret.WriteString(hrp)
-	ret.WriteString("1")
-	for _, p := range values {
-		ret.WriteByte(charset[p])
-	}
-	for _, p := range createChecksum(hrp, values) {
-		ret.WriteByte(charset[p])
-	}
-	if lower {
-		return ret.String(), nil
-	}
-	return strings.ToUpper(ret.String()), nil
-}
-
-// Decode decodes a Bech32 string. If the string is uppercase, the HRP will be uppercase.
-func Decode(s string) (hrp string, data []byte, err error) {
-	if len(s) > 90 {
-		return "", nil, fmt.Errorf("too long: len=%d", len(s))
-	}
-	if strings.ToLower(s) != s && strings.ToUpper(s) != s {
-		return "", nil, fmt.Errorf("mixed case")
-	}
-	pos := strings.LastIndex(s, "1")
-	if pos < 1 || pos+7 > len(s) {
-		return "", nil, fmt.Errorf("separator '1' at invalid position: pos=%d, len=%d", pos, len(s))
-	}
-	hrp = s[:pos]
-	for p, c := range hrp {
-		if c < 33 || c > 126 {
-			return "", nil, fmt.Errorf("invalid character human-readable part: s[%d]=%d", p, c)
-		}
-	}
-	s = strings.ToLower(s)
-	for p, c := range s[pos+1:] {
-		d := strings.IndexRune(charset, c)
-		if d == -1 {
-			return "", nil, fmt.Errorf("invalid character data part: s[%d]=%v", p, c)
-		}
-		data = append(data, byte(d))
-	}
-	if !verifyChecksum(hrp, data) {
-		return "", nil, fmt.Errorf("invalid checksum")
-	}
-	data, err = convertBits(data[:len(data)-6], 5, 8, false)
-	if err != nil {
-		return "", nil, err
-	}
-	return hrp, data, nil
-}
--- a/pkgs/bech32/bech32_test.go
+++ b/pkgs/bech32/bech32_test.go
@ -1,94 +0,0 @@
-// Copyright (c) 2013-2017 The btcsuite developers
-// Copyright (c) 2016-2017 The Lightning Network Developers
-// Copyright (c) 2019 Google LLC
-//
-// Permission to use, copy, modify, and distribute this software for any
-// purpose with or without fee is hereby granted, provided that the above
-// copyright notice and this permission notice appear in all copies.
-//
-// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
-package bech32_test
-
-import (
-	"strings"
-	"testing"
-
-	"filippo.io/age/internal/bech32"
-)
-
-func TestBech32(t *testing.T) {
-	tests := []struct {
-		str   string
-		valid bool
-	}{
-		{"A12UEL5L", true},
-		{"a12uel5l", true},
-		{"an83characterlonghumanreadablepartthatcontainsthenumber1andtheexcludedcharactersbio1tt5tgs", true},
-		{"abcdef1qpzry9x8gf2tvdw0s3jn54khce6mua7lmqqqxw", true},
-		{"11qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqc8247j", true},
-		{"split1checkupstagehandshakeupstreamerranterredcaperred2y9e3w", true},
-
-		// invalid checksum
-		{"split1checkupstagehandshakeupstreamerranterredcaperred2y9e2w", false},
-		// invalid character (space) in hrp
-		{"s lit1checkupstagehandshakeupstreamerranterredcaperredp8hs2p", false},
-		{"split1cheo2y9e2w", false}, // invalid character (o) in data part
-		{"split1a2y9w", false},      // too short data part
-		{"1checkupstagehandshakeupstreamerranterredcaperred2y9e3w", false}, // empty hrp
-		// invalid character (DEL) in hrp
-		{"spl" + string(rune(127)) + "t1checkupstagehandshakeupstreamerranterredcaperred2y9e3w", false},
-		// too long
-		{"11qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqsqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqc8247j", false},
-
-		// BIP 173 invalid vectors.
-		{"an84characterslonghumanreadablepartthatcontainsthenumber1andtheexcludedcharactersbio1569pvx", false},
-		{"pzry9x0s0muk", false},
-		{"1pzry9x0s0muk", false},
-		{"x1b4n0q5v", false},
-		{"li1dgmt3", false},
-		{"de1lg7wt\xff", false},
-		{"A1G7SGD8", false},
-		{"10a06t8", false},
-		{"1qzzfhee", false},
-	}
-
-	for _, test := range tests {
-		str := test.str
-		hrp, decoded, err := bech32.Decode(str)
-		if !test.valid {
-			// Invalid string decoding should result in error.
-			if err == nil {
-				t.Errorf("expected decoding to fail for invalid string %v", test.str)
-			}
-			continue
-		}
-
-		// Valid string decoding should result in no error.
-		if err != nil {
-			t.Errorf("expected string to be valid bech32: %v", err)
-		}
-
-		// Check that it encodes to the same string.
-		encoded, err := bech32.Encode(hrp, decoded)
-		if err != nil {
-			t.Errorf("encoding failed: %v", err)
-		}
-		if encoded != str {
-			t.Errorf("expected data to encode to %v, but got %v", str, encoded)
-		}
-
-		// Flip a bit in the string an make sure it is caught.
-		pos := strings.LastIndexAny(str, "1")
-		flipped := str[:pos+1] + string((str[pos+1] ^ 1)) + str[pos+2:]
-		if _, _, err = bech32.Decode(flipped); err == nil {
-			t.Error("expected decoding to fail")
-		}
-	}
-}
--- a/pkgs/sops-install-secrets/agessh/convert.go
+++ b/pkgs/sops-install-secrets/agessh/convert.go
@ -1,45 +0,0 @@
-package agessh
-
-import (
-	"crypto/ed25519"
-	"crypto/sha512"
-	"fmt"
-	"reflect"
-	"strings"
-
-	"github.com/Mic92/sops-nix/pkgs/bech32"
-	"golang.org/x/crypto/curve25519"
-	"golang.org/x/crypto/ssh"
-)
-
-func ed25519PrivateKeyToCurve25519(pk ed25519.PrivateKey) ([]byte, error) {
-	h := sha512.New()
-	_, err := h.Write(pk.Seed())
-	if err != nil {
-		return []byte{}, err
-	}
-	out := h.Sum(nil)
-	return out[:curve25519.ScalarSize], nil
-}
-
-func SSHPrivateKeyToBech32(sshPrivateKey []byte) (string, error) {
-	privateKey, err := ssh.ParseRawPrivateKey(sshPrivateKey)
-	if err != nil {
-		return "", err
-	}
-
-	ed25519Key, ok := privateKey.(*ed25519.PrivateKey)
-	if !ok {
-		return "", fmt.Errorf("Only ED25519 keys are supported, got: %s", reflect.TypeOf(privateKey))
-	}
-	bytes, err := ed25519PrivateKeyToCurve25519(*ed25519Key)
-	if err != nil {
-		return "", err
-	}
-
-	s, err := bech32.Encode("AGE-SECRET-KEY-", bytes)
-	if err != nil {
-		return "", err
-	}
-	return strings.ToUpper(s), nil
-}
--- a/pkgs/sops-install-secrets/main.go
+++ b/pkgs/sops-install-secrets/main.go
@ -17,8 +17,8 @@ import (
 	"syscall"
 	"time"

-	"github.com/Mic92/sops-nix/pkgs/sops-install-secrets/agessh"
 	"github.com/Mic92/sops-nix/pkgs/sops-install-secrets/sshkeys"
+	agessh "github.com/Mic92/ssh-to-age"

 	"github.com/mozilla-services/yaml"
 	"go.mozilla.org/sops/v3/decrypt"
@ -533,13 +533,13 @@ func importAgeSSHKeys(keyPaths []string, ageFilePath string) error {
 		if err != nil {
 			return fmt.Errorf("Cannot read ssh key '%s': %w", p, err)
 		}
-		// Convert the key to bech32
-		bech32, err := agessh.SSHPrivateKeyToBech32(sshKey)
+		// Convert the key to age
+		bech32, err := agessh.SSHPrivateKeyToAge(sshKey)
 		if err != nil {
 			return fmt.Errorf("Cannot convert ssh key '%s': %w", p, err)
 		}
 		// Append it to the file
-		_, err = ageFile.WriteString(bech32 + "\n")
+		_, err = ageFile.WriteString(*bech32 + "\n")
 		if err != nil {
 			return fmt.Errorf("Cannot write key to age file: %w", err)
 		}
--- a/pkgs/ssh-privkey-to-age/default.nix
+++ b/pkgs/ssh-privkey-to-age/default.nix
@ -1,19 +0,0 @@
-{ stdenv, lib, buildGoModule, path, pkgs, vendorSha256, go }:
-buildGoModule {
-  pname = "ssh-privkey-to-age";
-  version = "0.0.1";
-
-  src = ../..;
-
-  subPackages = [ "pkgs/ssh-privkey-to-age" ];
-
-  inherit vendorSha256;
-
-  meta = with lib; {
-    description = "Converter that converts SSH private keys into age keys";
-    homepage = "https://github.com/Mic92/sops-nix";
-    license = licenses.mit;
-    maintainers = with maintainers; [ mic92 ];
-    platforms = platforms.linux;
-  };
-}
--- a/pkgs/ssh-privkey-to-age/main.go
+++ b/pkgs/ssh-privkey-to-age/main.go
@ -1,28 +0,0 @@
-package main
-
-import (
-	"fmt"
-	"io/ioutil"
-	"os"
-
-	"github.com/Mic92/sops-nix/pkgs/sops-install-secrets/agessh"
-)
-
-func main() {
-	if len(os.Args) != 2 {
-		println("Usage: " + os.Args[0] + " [path to ssh private key]")
-		os.Exit(1)
-	}
-
-	sshKey, err := ioutil.ReadFile(os.Args[1])
-	if err != nil {
-		panic(fmt.Errorf("Cannot read ssh key '%s': %w", os.Args[1], err))
-	}
-
-	// Convert the key to bech32
-	bech32, err := agessh.SSHPrivateKeyToBech32(sshKey)
-	if err != nil {
-		panic(fmt.Errorf("Cannot convert ssh key '%s': %w", os.Args[1], err))
-	}
-	fmt.Println(bech32)
-}
--- a/pkgs/ssh-pubkey-to-age/default.nix
+++ b/pkgs/ssh-pubkey-to-age/default.nix
@ -1,19 +0,0 @@
-{ stdenv, lib, buildGoModule, path, pkgs, vendorSha256, go }:
-buildGoModule {
-  pname = "ssh-pubkey-to-age";
-  version = "0.0.1";
-
-  src = ../..;
-
-  subPackages = [ "pkgs/ssh-pubkey-to-age" ];
-
-  inherit vendorSha256;
-
-  meta = with lib; {
-    description = "Converter that converts SSH public keys into age keys";
-    homepage = "https://github.com/Mic92/sops-nix";
-    license = licenses.mit;
-    maintainers = with maintainers; [ mic92 ];
-    platforms = platforms.linux;
-  };
-}
--- a/pkgs/ssh-pubkey-to-age/main.go
+++ b/pkgs/ssh-pubkey-to-age/main.go
@ -1,74 +0,0 @@
-package main
-
-import (
-	"bufio"
-	"crypto/ed25519"
-	"errors"
-	"fmt"
-	"os"
-	"strings"
-
-	"filippo.io/edwards25519"
-	"github.com/Mic92/sops-nix/pkgs/bech32"
-	"golang.org/x/crypto/ssh"
-)
-
-func ed25519PublicKeyToCurve25519(pk ed25519.PublicKey) ([]byte, error) {
-	// See https://blog.filippo.io/using-ed25519-keys-for-encryption and
-	// https://pkg.go.dev/filippo.io/edwards25519#Point.BytesMontgomery.
-	p, err := new(edwards25519.Point).SetBytes(pk)
-	if err != nil {
-		return nil, err
-	}
-	return p.BytesMontgomery(), nil
-}
-
-func main() {
-	if len(os.Args) != 1 {
-		println("Usage: " + os.Args[0])
-		println("Pipe a SSH public key or the output of ssh-keyscan into it")
-		os.Exit(1)
-	}
-
-	scanner := bufio.NewScanner(os.Stdin)
-	for scanner.Scan() {
-		text := scanner.Text() + "\n"
-		var err error
-		var pk ssh.PublicKey
-		if strings.HasPrefix(text, "ssh-") {
-			pk, _, _, _, err = ssh.ParseAuthorizedKey([]byte(text))
-		} else {
-			_, _, pk, _, _, err = ssh.ParseKnownHosts([]byte(text))
-		}
-		if err != nil {
-			panic(err)
-		}
-		// We only care about ed25519
-		if pk.Type() != ssh.KeyAlgoED25519 {
-			continue
-		}
-		// Get the bytes
-		cpk, ok := pk.(ssh.CryptoPublicKey)
-		if !ok {
-			panic(errors.New("pk does not implement ssh.CryptoPublicKey"))
-		}
-		epk, ok := cpk.CryptoPublicKey().(ed25519.PublicKey)
-		if !ok {
-			panic(errors.New("unexpected public key type"))
-		}
-		// Convert the key to curve ed25519
-		mpk, err := ed25519PublicKeyToCurve25519(epk)
-		if err != nil {
-			panic(fmt.Errorf("invalid Ed25519 public key: %v", err))
-		}
-		// Encode the key
-		s, err := bech32.Encode("age", mpk)
-		if err != nil {
-			panic(err)
-		}
-		fmt.Println(s)
-	}
-	if err := scanner.Err(); err != nil {
-		panic(err)
-	}
-}