162

On GitHub, I want to add a key to associate my computer with my account and I am given two options: create an SSH or a GPG key.

What is the difference between the two keys? and is there a preferred one to use?
I understand how to create both by following the guide on the site but I don't know which one is better to use.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
Domenick
  • 2,142
  • 3
  • 12
  • 23
  • 27
    They are used for different things on github. SSH is used for authentication while GPG is used for signing tags and commits. – Xaqron Jul 18 '18 at 23:39

1 Answers1

96

I want to add a key to associate my computer with my account and I am given two options

You will need at least the SSH one, if you want to push back to your repository, using an SSH URL (since the public SSH key will authenticate you).
Start with SSH. See "Connecting to GitHub with SSH".

Later, you can use GPG to sign commits.

Note: Since Aug. 2022, GitHub also supports SSH commit verification

SSH commit check

Vishwas M.R points out in the comments to "Why would I sign my git commits with a GPG key when I already use an SSH key to authenticate myself when I push?"

When you authenticate to Github with your SSH key, that authentication doesn't become part of the repository in any meaningful or lasting way.
It causes Github to give you access for the moment, but it doesn't prove anything to anyone who is not Github.

When you GPG-sign a Git tag, that tag is part of the repository, and can be pushed to other copies of the repository.
Thus, other people who clone your repository can verify the signed tag, assuming that they have access to your public key and reason to trust it.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • 2
    Can I replace my SSH key with my GPG key? – daraul Oct 25 '19 at 14:41
  • 3
    @daraul As I mentioned in 2017: https://stackoverflow.com/a/45120525/6309, you could technically replace your SSH key be a gpg one (https://superuser.com/a/390176/141), but that is not very convenient, or what a GPG key is used for usually. – VonC Oct 25 '19 at 17:00
  • On gpg signing commits: https://stackoverflow.com/a/60456524/6309 (Eclipse) and https://stackoverflow.com/a/51919818/6309 (x509 instead of openpgp) – VonC Mar 16 '20 at 22:05
  • In case anyone is wondering what are the advantages of signing commits using GPG, refer https://security.stackexchange.com/a/120725/274459 – Vishwas M.R Feb 17 '22 at 06:12
  • 1
    @VishwasM.R Good point. I have included your comment in the answer for more visibility. – VonC Feb 17 '22 at 19:05
  • 1
    [SSH commit verification is now supported.](https://github.blog/changelog/2022-08-23-ssh-commit-verification-now-supported/) – Lauren Yim Aug 26 '22 at 09:11
  • 1
    @cherryblossom Thank you for this feedback. I have edited the answer accordingly, referencing [another answer of mine](https://stackoverflow.com/a/72852713/6309), where I already mentioned SSH commit verification two days ago. – VonC Aug 26 '22 at 09:20