Skip to content

re: Do you clone Git repos via HTTPS or SSH? VIEW POST

re: no, is there any benefit of signed commits?

Primarily attribution: with signed commits, you generally know that the person listed as the commit-author was actually the person who uploaded the commit (since, presumably, they're the only person with access to the [presumably] password-protected GPG key used to sign the commit). Combined with other security-measures, it's a good way to ensure that no nasties get into your git project (and better auditing if something actually does).

I use GPG keys at work

but I never get how GPG keys are more secure than password.

How they are any harder to get than passwords?

because I'm the only person who knows my password, and both are compromised if the attaker gets access my desktop.

"Defense in depth"

Much like, if you have encrypted volumes on your desktop/laptop, you set a different password for encrypted volumes than for your login password, you set a different password for your GPG keys than your login password.

Similarly, you don't have to keep your GPG keys on your desktop/laptop: you can write them to an encrypted device (like a Yubikey). That way, an attacker:
1) Needs the physical device
2) Needs the unlock credentials for the device
3) Needs the password for the GPG key

Presumably, by the time an attacker has surmounted #3, you've invalidated the errant GPG key. Even with a GPG key on an unencrypted disk/device, attacker needs to gain access to the device and then brute-force the password on the key. And, again, presumably by the time they've managed to break the key, you've invalidated it.

thanks for taking the time to tell my that, now I get that.

code of conduct - report abuse