11
Why would you want to sign your commits with PGP? Is SSH insufficient? (programming.dev)
submitted 5 days ago by Custodian6718@programming.dev to c/cybersecurity@sh.itjust.works
6 comments fedilink hide all child comments

So, feel free to correct me if I am wrong but this is my current knowledge about ts:

  1. PGP and SSH both use asymmetric encryption; in other words there is always a public and private key.
  2. You can verify the sender with your public key if the sender signs whatever he sends with his private key.
  3. You tend to insert your public key into remote Git repository like Github etc.

So should your private key not be sufficient to verify your identity when you push commits? Why would you want to use PGP instead?

you are viewing a single comment's thread
view the rest of the comments
[-] treadful@lemmy.zip 2 points 5 days ago

Commit signing isn't to authenticate with the remote repository. It includes the signatures in the commit data so they can be verified by anyone with a copy of the repo.

this post was submitted on 11 Jun 2025
11 points (100.0% liked)

Cybersecurity

7557 readers
138 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Community Rules

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 2 years ago
MODERATORS
kid@sh.itjust.works
Lanky_Pomegranate530@midwest.social