21

Github allows users to add SSH keys in order to access the repositories but it doesn't do a great job of explaining what the difference is between an "Authentication Key" and a "Signing Key" Specific questions I would like to know are:

  1. Do I need both Types of keys in order to access the repository?

  2. If I only add one key and that key is a "Singing Key" will that also allow me to simply check out the code? in other words does a Signing Key also do authentication?

  3. If I would like to do both Authentication and Signing, do those keys have to be different from one another or can I use the exact same key for both.

  4. If those keys have to be different from one another, how do I configure Git on my server to send both keys, as I presume that would be necessary right?

Dallas Caley
  • 5,367
  • 6
  • 40
  • 69

2 Answers2

24

The difference between signing keys and authentication keys is that signing keys can be used to sign Git commits and authentication keys can be used to access repositories. If you add a key as only one type, then it can be used only for that purpose, but the same key may be added for both.

If you just want to access repositories, then all you need is an authentication key. If you want to use an SSH key to verify that your commits have not been modified or tampered with and that they did indeed come from you (and not someone who forged your name and email in commits), then you'd want a signing key (plus a recent version of Git).

The reason they're different sets is that they have different security models and so it makes sense to allow people to set different keys for different purposes if they so choose. This is also in line with best practices for cryptographic key management.

bk2204
  • 64,793
  • 6
  • 84
  • 100
3

Note: commit signature verification is only supported by GitHub since Aug. 2022

It has to do with commit authorship verification, and nothing with repository access.

https://i0.wp.com/user-images.githubusercontent.com/4021812/186039068-d0d84d96-873b-44ec-8536-5e3e0ab648a3.png?ssl=1

But yes, you can use the same key if you want.
The idea remains, for commits marked as verified on GitHub, that other people can be confident that the changes come from a trusted source.
Said signature check can be validated on all computers by an SSH key synchronized with 1Password.

That differs with an SSH key used for GitHub authentication/repository access: in that latter case, it is better (better practice) to have on different SSH key per computer (in order to invalidate access from one of those computers, if it was compromised/stolen).

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250