|
· Föderation EN Mo 31.03.2025 20:43:51 @IzzyOnDroid @muminpappa You can add as many SSH keys as you want to Codeberg, and as long as they're verified, you can use them for auth and signing. I do not believe there's a requirement that they be the same. You can configure a global signing key option, but like all Git configs, you can also do that per-repo. ( Ironically, GH docs are great here: https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key#telling-git-about-your-ssh-key |
|
Föderation EN Mo 31.03.2025 20:48:11 @mttaggart Thanks! My concern was, as in the article I've linked, that I might want to use an SSH key for signing while not permitting it for login (hard to revoke it if it should get lost; removing it from my Codeberg account then would also mean all those commits showing up unverified, while a GPG key cannot be used for login, and it can be revoked when compromised). Apologies if my question sounds "stupid", but I've heard about SSH signing only today, from your article 😉 |
|
Föderation EN Mo 31.03.2025 20:49:33 @IzzyOnDroid Right so that is where I would contend though that if you have any reason to "revoke" a key, it should not be conditional. |
|
Föderation EN Mo 31.03.2025 20:54:27 @mttaggart Oh, it's less about me accidentally using it to log in. But you're correct: as my GPG key, the SSH key should have a proper passphrase set – so even if someone "finds" the private key, it would be useless to them 🤷♂️ Guess I've let myself be carried-away a little by that article. But Brian has a point there: not being configured for auth makes it not usable for auth. Well, the term "military grade" was "signaled" out recently I've heard 🙊 💨 |
