Broken-by-Design/notes/ssh-signing.md

---
title: Why is it better to sign commits with SSH than OpenPGP?
author: "Florian Maury" 
slug: ssh-vs-openpgp-signing 
date: 2022-05-26T11:00:00Z
tags:
- cryptography
- git
lang: en
---

The OpenPGP format was designed in the 90's and never really changed since
then. It was documented in
[RFC4880](https://datatracker.ietf.org/doc/html/rfc4880) in 2008.
Unfortunately, in the 90's, people had really no good understanding of crypto
yet, and the choices made were poor. Envelope design is poor. Some crypto
algorithms are clearly outdated. Some default options are plain wrong.

Have you ever noticed that so many crypto attacks target OpenPGP and GnuPG?
That's not a surprise: it's a popular crypto solution and it's a relatively
easy target, comparatively to some other mainstream crypto implementations. The
Go langage maintainers even deprecated the OpenPGP implementation in their
crypto standard library because they think [OpenPGP is
*dangerous*](https://github.com/golang/go/issues/44226).

> OpenPGP is incompatible with [Go Cryptography
> Principles](https://golang.org/design/cryptography-principles),
it's complex, fragile, and unsafe, and using it exposes applications to a
dangerous ecosystem.

Basically, I would say that the only thing that OpenPGP has for itself is the
deployed infrastructure. Or has it? Web of trust is mostly dead, since
keyservers are out-of-service. And OpenPGP adoption was never really that high
to begin with.

SSH keys are much more widely deployed and used than OpenPGP keys. The format
is dead simple, and the crypto implementation from OpenSSH is up-to-date.

I am very happy that git made SSH signing possible; it means I can delete my
OpenPGP keys for good. I just hope linux distros will make the switch soon, to
a more modern crypto approach: ssh signing or minisign.
Add note on ssh commit signing vs OpenPGP 2022-05-26 11:40:50 +00:00			`---`
			`title: Why is it better to sign commits with SSH than OpenPGP?`
			`author: "Florian Maury"`
			`slug: ssh-vs-openpgp-signing`
			`date: 2022-05-26T11:00:00Z`
Add tags for ssh signing 2022-05-28 09:55:19 +00:00			`tags:`
			`- cryptography`
			`- git`
Add lang metadata for all posts/notes 2022-05-28 11:05:54 +00:00			`lang: en`
Add note on ssh commit signing vs OpenPGP 2022-05-26 11:40:50 +00:00			`---`

			`The OpenPGP format was designed in the 90's and never really changed since`
			`then. It was documented in`
			`[RFC4880](https://datatracker.ietf.org/doc/html/rfc4880) in 2008.`
			`Unfortunately, in the 90's, people had really no good understanding of crypto`
			`yet, and the choices made were poor. Envelope design is poor. Some crypto`
			`algorithms are clearly outdated. Some default options are plain wrong.`

			`Have you ever noticed that so many crypto attacks target OpenPGP and GnuPG?`
			`That's not a surprise: it's a popular crypto solution and it's a relatively`
			`easy target, comparatively to some other mainstream crypto implementations. The`
			`Go langage maintainers even deprecated the OpenPGP implementation in their`
			`crypto standard library because they think [OpenPGP is`
			`dangerous](https://github.com/golang/go/issues/44226).`

			`> OpenPGP is incompatible with [Go Cryptography`
			`> Principles](https://golang.org/design/cryptography-principles),`
			`it's complex, fragile, and unsafe, and using it exposes applications to a`
			`dangerous ecosystem.`

			`Basically, I would say that the only thing that OpenPGP has for itself is the`
			`deployed infrastructure. Or has it? Web of trust is mostly dead, since`
			`keyservers are out-of-service. And OpenPGP adoption was never really that high`
			`to begin with.`

			`SSH keys are much more widely deployed and used than OpenPGP keys. The format`
			`is dead simple, and the crypto implementation from OpenSSH is up-to-date.`

			`I am very happy that git made SSH signing possible; it means I can delete my`
			`OpenPGP keys for good. I just hope linux distros will make the switch soon, to`
			`a more modern crypto approach: ssh signing or minisign.`