On GitHub, I want to add a key to associate my computer with my account and I am given two options: create an SSH or a GPG key.
What is the difference between the two keys? and is there a preferred one to use?
I understand how to create both by following the guide on the site but I don't know which one is better to use.
When you use SSH, a program called ssh-agent is used to manage the keys. To use a GPG key, you'll use a similar program, gpg-agent, that manages GPG keys. To get gpg-agent to handle requests from SSH, you need to enable support by adding the line enable-ssh-support to the ~/. gnupg/gpg-agent.
Are the two interchangeable, or is there a difference between the two? Even if they were, it's generally a bad idea to re-use the same key across multiple contexts. Both PGP and SSH support RSA public/private key pairs, so presumably it is possible.
GnuPG (more commonly known as GPG) is an implementation of a standard known as PGP (Pretty Good Privacy). It uses a system of "public" and "private" keys for the encryption and signing of messages or data.
A YubiKey with OpenPGP can be used for logging in to remote SSH servers. In this setup, the Authentication subkey of an OpenPGP key is used as an SSH key to authenticate against a server. To ensure that the only way to log in is by using your YubiKey we recommend disabling password login on your SSH server.
I want to add a key to associate my computer with my account and I am given two options
You will need at least the SSH one, if you want to push back to your repository, using an SSH URL (since the public SSH key will authenticate you).
Start with SSH. See "Connecting to GitHub with SSH".
Later, you can use GPG to sign commits.
Vishwas M.R points out in the comments to "Why would I sign my git commits with a GPG key when I already use an SSH key to authenticate myself when I push?"
When you authenticate to Github with your SSH key, that authentication doesn't become part of the repository in any meaningful or lasting way.
It causes Github to give you access for the moment, but it doesn't prove anything to anyone who is not Github.When you GPG-sign a Git tag, that tag is part of the repository, and can be pushed to other copies of the repository.
Thus, other people who clone your repository can verify the signed tag, assuming that they have access to your public key and reason to trust it.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With