git密匙有什么用_为什么git用GPG密钥而不是SSH密钥签名?

What are the differences between SSH and GPG asymmetric keys and why does git support signing with GPG rather than using the SSH agent?

解决方案

The very first notion of signing anything in Git was referenced in commit ec4465a, Git v0.99, Apr. 2005 (pretty much from the very beginning)

/**

* A signature file has a very simple fixed format: three lines

* of "object " + "type " + "tag ",

* followed by some free-form signature that git itself doesn't

* care about, but that can be verified with gpg or similar.

**/

So your question has legs.

The very first signed commit used gpg, but could have used anything else (commit 65f0d0e):

#!/bin/sh

object=${2:-$(cat .git/HEAD)}

type=$(cat-file -t $object) || exit 1

( echo -e "object $object\ntype $type\ntag $1\n"; cat ) > .tmp-tag

rm -f .tmp-tag.asc

gpg -bsa .tmp-tag && cat .tmp-tag.asc >> .tmp-tag

git-mktag < .tmp-tag

#rm .tmp-tag .tmp-tag.sig

Technically, you can use gpg in place of ssh. I haven't seen often the reverse though.

But you can use an ssh key-pair be used with PGP/GPG.

That means the first validation script might still work (commit f336e71)... except it expected a PGP comment:

#!/bin/sh

GIT_DIR=${GIT_DIR:-.git}

tag=$1

[ -f "$GIT_DIR/refs/tags/$tag" ] && tag=$(cat "$GIT_DIR/refs/tags/$tag")

git-cat-file tag $tag > .tmp-vtag || exit 1

cat .tmp-vtag | sed '/-----BEGIN PGP/Q' | gpg --verify .tmp-vtag -

rm -f .tmp-vtag

So, "Why does git sign with GPG keys rather than using SSH keys?": it is what GPG is meant to do, as opposed to SSH, which cannot do with openssh alone (it needs openssl).

As commented by torek, using SSH would be theoretically possible, it's just not convenient.

In addition, PGP has extra features (not that Git uses them directly—Git itself is just invokes some external software—but things like key revocation are useful in these contexts).

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值