c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.
THE RULES
Instance Rules
Community Rules
If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.
Learn about hacking
Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub
Notable mention to !cybersecuritymemes@lemmy.world
I’m am glad you asked this, because I did not know and had to look it up, so I found pgp can have multiple signatures of people saying this is a trustworthy key and helps show people it’s really you.
But if you used your regular key, how do people know it came from you ?
SSH hasn't had the signing functionality for long, and git support for SSH signatures is even younger. I'd say if you are starting from scratch, SSH signing is simpler and potentially more secure. PGP works, though, and if you have an existing setup, there is no compelling reason to change right now.
Commit signing isn't to authenticate with the remote repository. It includes the signatures in the commit data so they can be verified by anyone with a copy of the repo.
Ssh is for getting the code to the repository securely. While it is part of making sure the code doesn't change when it transit, nothing it does stays with the code after that.
PGP is for signing the code. The PGP signature is baked into the repo history itself as a part of the commit. Because it stays with the code, it provides a way to record that someone is signing off on a specific set of changes. Additionally, because it is a signature it also allows verification that the change that was signed off on has not been modified in the repository.