The only real advantage to using SSH vs PGP keys is you don’t need an external dependency (GPG). PGP is always going to be better, because you get the advantage of WOT, and PGP public key servers to verify identities over just “this is who I am, here’s my key.” You should always sign your commits, no matter what you use. Identity verification is very important in open source.
Are you using your public ssh key for signing? Wouldn’t it make more sense to use the private one as people can then verify your identity by using your public key?
Ha, good catch! Behind the scences, git is actually using your private key to sign the commit. You’re only specifying the ssh key git should ask ssh-agent about. You can also specify the private key and actually need to when not using an agent and the key is not available. See docs
The only real advantage to using SSH vs PGP keys is you don’t need an external dependency (GPG). PGP is always going to be better, because you get the advantage of WOT, and PGP public key servers to verify identities over just “this is who I am, here’s my key.” You should always sign your commits, no matter what you use. Identity verification is very important in open source.
Are you using your public ssh key for signing? Wouldn’t it make more sense to use the private one as people can then verify your identity by using your public key?
Ha, good catch! Behind the scences, git is actually using your private key to sign the commit. You’re only specifying the ssh key git should ask ssh-agent about. You can also specify the private key and actually need to when not using an agent and the key is not available. See docs