this post was submitted on 11 Apr 2025
217 points (95.8% liked)

Programmer Humor

22354 readers
2832 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
217
me when i find out i can use ssh to sign my git commits (lemmings.world)
submitted 3 days ago by [email protected] to c/[email protected]
35 comments fedilink hide all child comments
 
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 5 points 3 days ago (1 children)

You seem to be fundamentally misunderstanding how the shared keys work, here. You don't get to choose which key you sign with, either private or public.

If you sign a statement, it uses your private key. Period. The methodology is only the original owner of the keys has access to the private key, so any signed statement also using that private key, is directly from the key owner. Alternatively, anyone has access to your private key, and can encrypt data using it, that only the owner, with access to the private key, can decrypt.

Anyone in the world can encrypt a message that only you can decrypt. That's the way it works. Alternatively, when you sign a statement, you're establishing that the owner of the key pair signed it, as only the owner has access to the private key. Then, anyone in the world can verify your signed statement using your public key.

You don't get to choose which one you use. In the example from my original post, the ssh-agent only needs reference to the location of one of the two keys, and will use the filename regardless, to distinguish between public and private. If I point the configuration option to this_is_my_key indicating a private key, it will automatically use this_is_my_key.pub as a public key. If I indicate this_is_my_key.pub then it does the reverse and will assume that this_is_my_key is the private key. It doesn't matter which one you specify, the ssh-agent just needs a filename to work with.

[–] [email protected] 2 points 2 days ago* (last edited 2 days ago) (1 children)

second paragraph should have "anyone has access to your public key"

[–] [email protected] 0 points 2 days ago (2 children)

Anyone only has access to your public key if you give them access to your public key. So no, not really. They should have access to it. It's not something you should keep private, but SSH shared keys aren't PGP shared keys. There's no key servers for SSH shared keys.

[–] [email protected] 2 points 2 days ago (1 children)

look at last sentence of the second paragraph. Is this what you wanted to write?

[–] [email protected] 1 points 2 days ago (1 children)

Then, anyone in the world can verify your signed statement using your public key.

Of course. The only barrier is the possession of your public key. I really don't understand what you're getting at here. Anyone with your public key can verify a PSK signed statement you made, which obviously is predicated on them having access to the key.

[–] [email protected] 1 points 2 days ago

that's 3rd

[–] [email protected] 1 points 2 days ago* (last edited 2 days ago)

"Alternatively, anyone has access to your ~~private~~ public key, and can encrypt data using it, that only the owner, with access to the private key, can decrypt."