Support for p256tag and p256mlkem768tag recipients

[pschichtel]

Currently, when using an identity generated by age-plugin-tpm like age1tag1..., this is the output of sops encrypt:

Could not generate data key: [failed to encrypt new data key with master key "age1tag1...": failed to create writer for encrypting sops data key with age: failed to wrap key for recipient #0: tag plugin: couldn't start plugin: "tag" plugin not found: exec: "age-plugin-tag": executable file not found in $PATH]

Invoking age itself with the identity works fine. I think support for p256tag and p256mlkem768tag is generally missing. The old tpm tag works fine.

[felixfontein]

Isn't the whole point of plugins that you don't need to support the formats explicitly? My guess is that the age that's part of SOPS somehow cannot find the plugins. But I don't know how exactly age finds these plugins and how your system looks like, so 🤷

Did you check whether the plugin shows up in the $PATH that SOPS is using?

[pschichtel]

The plugin is in the path as age-plugin-tpm, but age seems to be looking for age-plugin-tag. age-plugin-tpm also allows generating an identity with the tpm tag, they call it "legacy". These identities work fine.