Here's something I don't understand.
Git uses ssh public/private key pairs for its wire-level network security.
Git uses gpg public/private key pairs for its commit-signing and tag-signing operations.
Why does git use two different keys for these two purposes?
Is that considered to be improved security?
Or is there a technical reason that git couldn't have simply used the same public/private key pair for both purposes?
And yes, I understand that in the wire-level network security case, it typically isn't git itself that is authenticating you using the SSH public key; it is actually the operating system that is doing that.
So I guess my question is: OK, but then why can't I use that same SSH key pair to sign my git commits and git tags? Why did git decide that I should use a different key pair for signing my git commits and tags?
Sorry for the naive question, but, as I admitted, I'm still rather ignorant about this cryptography stuff.
And, I see that other people are puzzled by this, too.
No comments:
Post a Comment