62

Simply put, I am wondering why would one need to sign one's commits with a GPG key when contributing to GitHub when one's already required to provide an SSH public key?

HedgeMage
  • 716
  • 6
  • 6
Mahmoud Tantawy
  • 723
  • 1
  • 5
  • 6
  • 3
    Have a look at: https://programmers.stackexchange.com/questions/212192/what-are-the-advantages-and-disadvantages-of-cryptographically-signing-commits-a Not sure which SSH key you refer to. – Arminius Apr 17 '16 at 04:21
  • @Arminius That https://help.github.com/articles/generating-an-ssh-key/ – Mahmoud Tantawy Apr 17 '16 at 07:46

1 Answers1

58

When you authenticate to Github with your SSH key, that authentication doesn't become part of the repository in any meaningful or lasting way. It causes Github to give you access for the moment, but it doesn't prove anything to anyone who is not Github.

When you GPG-sign a git tag, that tag is part of the repository, and can be pushed to other copies of the repository. Thus, other people who clone your repository can verify the signed tag, assuming that they have access to your public key and reason to trust it.

While it isn't necessary to tag and GPG-sign every single commit, it is wise to provide GPG-signed tags at least on each commit that corresponds to a released version of your code. You may wish to do more than that, but that is the bare minimum of responsible behavior, as it provides reasonable assurance that:

  • The commit in question really does correspond to the release in question.

  • The commit in question (and to the degree that we trust the SHA1 hashes used in git commit history, all of its predecessors) came from the signer (and, if applicable, the signer's team).

  • The commit in question wasn't tampered with after the signer tagged it.

Note that I said "reasonable assurance", not "perfect certainty"...there are other things that can go wrong with software integrity. However, providing signed tags at least for official releases is a huge step in the right direction.

HedgeMage
  • 716
  • 6
  • 6
  • 13
    Why can't the SSH key be used to sign commits? Aren't both private keys after all? – Gili Nov 25 '16 at 05:13
  • 1
    technically, yes. But reformatting of keys is required. Out of the box, ssh and pgp keys weren't intended to be reused, but it's possible: http://security.stackexchange.com/q/32768/28652 – brianclements Dec 09 '16 at 20:36
  • Can't I use the gpg key to do ssh tasks like cloning for example or do I still have to add my ssh-rsa? – Yves Jun 02 '17 at 13:28
  • I thought it would be nice to just use the gpg key stored on keybase for such tasks as well. By that I also could easily share mit public key to get added to other repos for example. – Yves Jun 02 '17 at 13:30
  • 8
    I wonder if this topic is elaborated somewhere? I would like to read more about this. – 7heViking Nov 05 '18 at 14:05