> and for someone who has developed a simple & safe workflow around it
This is the kicker. Modern versions of GPG have sane defaults, but if I were a new developer who knew nothing about encryption, I would be very scared of GPG, it's aged documentation, and multitude of encryption and signing methods.
Following the wrong stackoverflow answer, or an out-of-date blog post could easily get you a GPG configuration that is insecure in the year 2023.
The same cannot be said for age, it has no knobs that you can dial to an insecure setting. If you'll forgive the expression, it is "idiot proof".
Like you said though, GPG works, as long as you have that safe workflow.
This is the kicker. Modern versions of GPG have sane defaults, but if I were a new developer who knew nothing about encryption, I would be very scared of GPG, it's aged documentation, and multitude of encryption and signing methods.
Following the wrong stackoverflow answer, or an out-of-date blog post could easily get you a GPG configuration that is insecure in the year 2023.
The same cannot be said for age, it has no knobs that you can dial to an insecure setting. If you'll forgive the expression, it is "idiot proof".
Like you said though, GPG works, as long as you have that safe workflow.