6

I'm using git for most of my programming work and sign them with SSH key for most of the commits. However, when I updated git to version 2.17.1, git defaulted to signing with GPG key instead of the SSH key.

I would like to know what are the advantages and disadvantages of using a GPG key over a SSH key and why git is making GPG the default.

poon gilbert
  • 368
  • 3
  • 5
Nic Wanavit
  • 2,363
  • 5
  • 19
  • 31

1 Answers1

3

SSH key is used for many authentication application such as logging in to ssh server, logging in, and many other applications.

This means that if you use it on a non secure environment and your private key is stolen, Others are able to fake your signatures and log on to all your computers.

GPG are widely used for singing emails files and other encryption activities. Therefore you can use it on a less secure environment since fake signing github is much less desirable than stealing your server.

poon gilbert
  • 368
  • 3
  • 5
  • 2
    Ohh i see. Do you know how I can download my GPG key and use it to sign other things? – Nic Wanavit May 05 '19 at 13:42
  • 1
    But both the private SSH and GPG keys are stored on the same machine; if one is compromised, the other one is likely as well. Whether one was using one SSH and one GPG key or two SSH keys to sign commits does not change anything. – Nato Boram Aug 25 '22 at 15:01
  • Well in this example it is more secure because you are using two different keys for signing and authentication and you would have the same level of security even if both of them were SSH keys. It doesn't explain the advantage of GPG over SSH – Daniel B Aug 30 '23 at 04:13