this post was submitted on 11 Apr 2025
217 points (95.8% liked)

Programmer Humor

22354 readers
2832 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
217
me when i find out i can use ssh to sign my git commits (lemmings.world)
submitted 3 days ago by [email protected] to c/[email protected]
35 comments fedilink hide all child comments
 
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 2 points 3 days ago* (last edited 3 days ago) (1 children)

I think encrypting with a public key is mostly used in client -> server traffic (client encrypts with server's public key, server decrypts with private), and not code signing. However, I'm no TLS/asymmetric crypto savant.

[–] [email protected] 2 points 3 days ago* (last edited 3 days ago) (1 children)

Encryption can only be done with the PGP public key. Even if you specifically use the private key, it contains the public key, and GPG already knows to use the public key for encryption. You cannot create encrypted cipher text using a GPG private key.

Likewise, you cannot decrypt data using the public key, nor can you sign statements with a public key. For those processes you must use a private key.

I had no idea people found GPG this confusing...

[–] [email protected] 1 points 3 days ago* (last edited 3 days ago) (1 children)

I don't have much experience in the realm of gpg. My experience is mostly with TLS. From what I know, if you're doing client authentication, you encrypt your message with your private key, and then the public key on a cert is used for validating that the message actually came from you.

I think code signing is similar to client auth, but not positive. Again, I use TLS, but I'm not a professional

https://about.signpath.io/code-signing/theory#%3A%7E%3Atext=Software+publishers+use+a+secret%2Cpart+of+the+distribution+package.

Edit:

What I found from Wikipedia:

The client sends a CertificateVerify message, which is a signature over the previous handshake messages using the client's certificate's private key. This signature can be verified by using the client's certificate's public key. This lets the server know that the client has access to the private key of the certificate and thus owns the certificate.

https://en.m.wikipedia.org/wiki/Transport_Layer_Security#Client-authenticated_TLS_handshake

[–] [email protected] 1 points 3 days ago

This is TLS authentication via SSH, which is a completely different ballgame than using SSH keys for data encryption, decryption, and verification.