So, feel free to correct me if I am wrong but this is my current knowledge about ts:

  1. PGP and SSH both use asymmetric encryption; in other words there is always a public and private key.
  2. You can verify the sender with your public key if the sender signs whatever he sends with his private key.
  3. You tend to insert your public key into remote Git repository like Github etc.

So should your private key not be sufficient to verify your identity when you push commits? Why would you want to use PGP instead?

  • manxu@piefed.social
    link
    fedilink
    English
    arrow-up
    3
    ·
    5 months ago

    SSH hasn’t had the signing functionality for long, and git support for SSH signatures is even younger. I’d say if you are starting from scratch, SSH signing is simpler and potentially more secure. PGP works, though, and if you have an existing setup, there is no compelling reason to change right now.