So, feel free to correct me if I am wrong but this is my current knowledge about ts:
- PGP and SSH both use asymmetric encryption; in other words there is always a public and private key.
- You can verify the sender with your public key if the sender signs whatever he sends with his private key.
- You tend to insert your public key into remote Git repository like Github etc.
So should your private key not be sufficient to verify your identity when you push commits? Why would you want to use PGP instead?
Ssh is for getting the code to the repository securely. While it is part of making sure the code doesn’t change when it transit, nothing it does stays with the code after that.
PGP is for signing the code. The PGP signature is baked into the repo history itself as a part of the commit. Because it stays with the code, it provides a way to record that someone is signing off on a specific set of changes. Additionally, because it is a signature it also allows verification that the change that was signed off on has not been modified in the repository.