> On Sep 16, 2024, at 8:13 AM, Richard Biener via Gcc <gcc@gcc.gnu.org> wrote:
>
> On Mon, Sep 16, 2024 at 1:37 PM Jonathan Wakely via Gcc <gcc@gcc.gnu.org>
> wrote:
>>
>> Git supports signing commits with a GPG key, and more recently (since
>> Git 2.34) also started supporting signing with an SSH key. The latter
>> is IMHO much easier to set up, because anybody who can push to the GCC
>> repo already has an SSH key configured.
>>
>> To start signing your git commits, just enable commit.gpgsign (which
>> also enables signing with SSH, despite the name) and tell Git where to
>> find your public key. To use SSH keys instead of GPG, set
>> gpg.format=ssh. I suggest the ssh key you sign with should be the same
>> key that you use to push to gcc.gnu.org / sourceware.org
>>
>> i.e.
>>
>> git config --global gpg.format ssh
>> git config user.signingKey ~/.ssh/id_your_gcc_key.pub
>> git config commit.gpgsign true
>>
>> More info online e.g.
>> https://docs.gitlab.com/ee/user/project/repository/signed_commits/ssh.html
>
> What is the benefit of having a SSH signature in addition to
> sourceware verifying
> the SSA key upon commit?
>
> Richard.
I was wondering the same. PGP/GPG has a public key infrastructure (the Web of
Trust and the PGP key servers). PGP signatures are valuable because anyone can
check them, given a published public key -- which is the intended use of PGP.
SSH key pairs are authentication keys, but they aren't interesting as signing
keys unless they are backed up by a public key
publication/distribution/authentication scheme similar to the PGP web of trust
(or, similar but different, the CA infrastructure of X.509 keys).
paul
