On one of my machines, I have 2 age keys that I use for my passwords:

• One secure enclave key (for Touch ID), not encrypted with a passphrase
• One standard age key, protected by a passphrase

Some folders in my store have a recipients file with both recipients in them, some only the one for the passphrase-protected age key.

I'd like to be able for passage to use the unencrypted (Touch ID) key when it can, and only prompt me for a passphrase when it needs to use the passphrase-protected key (i.e. when the password is only encrypted for the passphrase-protected key).

Passage only looks in one identities file, and as far as I know, I cannot combine passphrase-protected age keys and non-password-protected keys (such as the secure enclave one) in one identities file, so I can't make passage behave this way. It does work with age directly when I pass both identities in the correct order.

Proposed solution

One possible solution (which I implemented in my local copy): if identities is a directory, add all files in that directory in alphabetical order as identities to the age command-line (there may need to be a filter here).

One thing to bear in mind is extensions, which expect one $IDENTITIES_FILE; they could still be passed the first one through that variable for backwards compatibility, but in order to support multiple, they would have to support a new variable. I chose to pass an array $AGE_IDENTITY_ARGS, which avoids having to construct the -i command line by hand; this is also what password-store seems to do with $GPG_OPTS. (BTW, it seems there is a reference to $AGE_IDENTITY_ARGS in the code already, but I’m not sure this is intentional; I think the command where this is referenced, git init, is currently broken).

Another thing to note is that passage git init fixes the identity arguments in a config file. This means the identity files will be fixed at init time. I think the only way to make the git diff subcommand work is to not use age directly, but delay the parameter expansion (e.g. by using something like passage show that supports full paths as conversion script)

I created a PR to illustrate this solution.