Il 28/12/2016 13:28, Miroslav Rovis ha scritto: >> The fact that Github, since this outgoing year, accept gpg signing only >> if you post your public key to their servers. I can't say for sure, but maybe that's so so they can have an "attestation key" to use for verifying signatures, without expensive WoT checks. By loading your key, you're certifying it's yours. But it won't actually give any more assurance than "you is you" than your credentials (against GitHub): if someone steals your credentials, he can replace your pub key and sign new commits in your name. They're using GPG just as a frontend for signatures using self-signed certificates.
BTW nothing prevents you from uploading your key to the keyservers and participate in the WoT -- that's the only thing that could assure who clones your repo that *you* signed those commits. Sometimes just "key persistence" is important (i.o.w. that the key that signed all the commits has always been the same, and in this case GitHub loaded key can be enough), other times it could be important to link the key used for signing a commit to (the reputation of) a real person, and in this case the WoT is needed. > Just some quick links in connection, for the less familiar. > For users (like me): > https://help.github.com/categories/gpg/ Some reccomendations could be quite questionable (always use RSA 4096, do not set an expiry on main key, no mention of generating a revocation certificate...). BYtE, Diego _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
