GPG vs SSH keys

security github ssh ssh-keys gnupg
36,021

I want to add a key to associate my computer with my account and I am given two options

You will need at least the SSH one, if you want to push back to your repository, using an SSH URL (since the public SSH key will authenticate you).
Start with SSH. See "Connecting to GitHub with SSH".

Later, you can use GPG to sign commits.

Vishwas M.R points out in the comments to "Why would I sign my git commits with a GPG key when I already use an SSH key to authenticate myself when I push?"

When you authenticate to Github with your SSH key, that authentication doesn't become part of the repository in any meaningful or lasting way.
It causes Github to give you access for the moment, but it doesn't prove anything to anyone who is not Github.

When you GPG-sign a Git tag, that tag is part of the repository, and can be pushed to other copies of the repository.
Thus, other people who clone your repository can verify the signed tag, assuming that they have access to your public key and reason to trust it.

Share:
36,021

Related videos on Youtube

Domenick
Author by

Domenick

Full Stack developer with an interest in web design.

Updated on February 18, 2022

Comments

  • Domenick
    Domenick 10 months

    On GitHub, I want to add a key to associate my computer with my account and I am given two options: create an SSH or a GPG key.

    What is the difference between the two keys? and is there a preferred one to use?
    I understand how to create both by following the guide on the site but I don't know which one is better to use.

    • Xaqron
      Xaqron over 4 years
      They are used for different things on github. SSH is used for authentication while GPG is used for signing tags and commits.
  • daraul
    daraul about 3 years
    Can I replace my SSH key with my GPG key?
  • VonC
    VonC about 3 years
    @daraul As I mentioned in 2017: stackoverflow.com/a/45120525/6309, you could technically replace your SSH key be a gpg one (superuser.com/a/390176/141), but that is not very convenient, or what a GPG key is used for usually.
  • VonC
    VonC almost 3 years
    On gpg signing commits: stackoverflow.com/a/60456524/6309 (Eclipse) and stackoverflow.com/a/51919818/6309 (x509 instead of openpgp)
  • Vishwas M.R
    Vishwas M.R 10 months
    In case anyone is wondering what are the advantages of signing commits using GPG, refer security.stackexchange.com/a/120725/274459
  • VonC
    VonC 10 months
    @VishwasM.R Good point. I have included your comment in the answer for more visibility.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Read Only access to GitHub repo via SSH key
How to fix warning about ECDSA host key
Forced to change expired password when using ssh key
Restricting a ssh key to only allow rsync/file transfer?
Why is SSH password authentication a security risk?
Only allow password authentication to SSH server from internal network
SSH Public key denied on "git clone" command
How to generate ssh keys (for github)
Having Trouble Switching Github accounts on terminal
Cannot push to git repository - permission denied