I got this article in a reply to a different conversation, and for the most part I agree with it. Gpg is old and we have better ways. I like signing my commits, I like feeling that these commits are actually and provably mine. But I’m not married to GPG like I used to be, I’d like a better way. The problem is that git used gpg for signing. I learned about this new thing called minisign and I wanna use it with git. So how do we switch? And if we can’t switch, then how do we fix GPG?
You say “how do we fix GPG” but what’s wrong with GPG with regards to signing and verifying got commits?
As far as I know (which isn’t a lot) got uses GPG directly and you can’t have it use a different tool. It’s not like using a different pager like less or cat, it uses GPG and makes assumptions about it.
deleted by creator
deleted by creator
IIRC, GitHub.com and GitHub Enterprise support using SSH for signing. I think that whatever is used should leverage asymmetric/public-key cryptography.
Passkeys maybe?
