Github allows users to add SSH keys in order to access the repositories but it doesn't do a great job of explaining what the difference is between an "Authentication Key" and a "Signing Key" Specific questions I would like to know are:
Do I need both Types of keys in order to access the repository?
If I only add one key and that key is a "Singing Key" will that also allow me to simply check out the code? in other words does a Signing Key also do authentication?
If I would like to do both Authentication and Signing, do those keys have to be different from one another or can I use the exact same key for both.
If those keys have to be different from one another, how do I configure Git on my server to send both keys, as I presume that would be necessary right?
CodePudding user response:
The difference between signing keys and authentication keys is that signing keys can be used to sign Git commits and authentication keys can be used to access repositories. If you add a key as only one type, then it can be used only for that purpose, but the same key may be added for both.
If you just want to access repositories, then all you need is an authentication key. If you want to use an SSH key to verify that your commits have not been modified or tampered with and that they did indeed come from you (and not someone who forged your name and email in commits), then you'd want a signing key (plus a recent version of Git).
The reason they're different sets is that they have different security models and so it makes sense to allow people to set different keys for different purposes if they so choose. This is also in line with best practices for cryptographic key management.