问题
What are the differences between SSH and GPG asymmetric keys and why does git support signing with GPG rather than using the SSH agent?
回答1:
The very first notion of signing anything in Git was referenced in commit ec4465a, Git v0.99, Apr. 2005 (pretty much from the very beginning)
/**
* A signature file has a very simple fixed format: three lines
* of "object <sha1>" + "type <typename>" + "tag <tagname>",
* followed by some free-form signature that git itself doesn't
* care about, but that can be verified with gpg or similar.
**/
So your question has legs.
The very first signed commit used gpg, but could have used anything else (commit 65f0d0e):
#!/bin/sh
object=${2:-$(cat .git/HEAD)}
type=$(cat-file -t $object) || exit 1
( echo -e "object $object\ntype $type\ntag $1\n"; cat ) > .tmp-tag
rm -f .tmp-tag.asc
gpg -bsa .tmp-tag && cat .tmp-tag.asc >> .tmp-tag
git-mktag < .tmp-tag
#rm .tmp-tag .tmp-tag.sig
Technically, you can use gpg in place of ssh. I haven't seen often the reverse though.
But you can use an ssh key-pair be used with PGP/GPG.
That means the first validation script might still work (commit f336e71)... except it expected a PGP comment:
#!/bin/sh
GIT_DIR=${GIT_DIR:-.git}
tag=$1
[ -f "$GIT_DIR/refs/tags/$tag" ] && tag=$(cat "$GIT_DIR/refs/tags/$tag")
git-cat-file tag $tag > .tmp-vtag || exit 1
cat .tmp-vtag | sed '/-----BEGIN PGP/Q' | gpg --verify .tmp-vtag -
rm -f .tmp-vtag
So, "Why does git sign with GPG keys rather than using SSH keys?": it is what GPG is meant to do, as opposed to SSH, which cannot do with openssh alone (it needs openssl).
As commented by torek, using SSH would be theoretically possible, it's just not convenient.
In addition, PGP has extra features (not that Git uses them directly—Git itself is just invokes some external software—but things like key revocation are useful in these contexts).
回答2:
One likely reason is that not everybody using git is using ssh.
You can create a git repo and never have it leave your local disk. You can use the git protocol, or http, or https, or network filesystems... none of those things involve ssh, but you can still sign commits, because that happens independent of any network transport or other push/pull sharing of your commits.
回答3:
The reason why you should NOT use ssh for signing commits is the one of the common rules of cryptography: You should not use the same keys for different applications/use cases.
In SSH you use a key for authentication, but that is something different then the signing your commits. For this, GPG is much more suited as it is already widely used for signing emails, files and so on.
来源:https://stackoverflow.com/questions/45119932/why-does-git-sign-with-gpg-keys-rather-than-using-ssh-keys