ssh key与gpg key的区别

Why would I sign my git commits with a GPG key when I already use an SSH key to authenticate myself when I push?

When you authenticate to Github with your SSH key, that authentication doesn’t become part of the repository in any meaningful or lasting way.
It causes Github to give you access for the moment, but it doesn’t prove anything to anyone who is not Github.

When you GPG-sign a Git tag, that tag is part of the repository, and can be pushed to other copies of the repository.
Thus, other people who clone your repository can verify the signed tag, assuming that they have access to your public key and reason to trust it.

Can I replace my SSH key with my GPG key?

As mentioned in 2017:, you could technically replace your SSH key be a gpg one (, but that is not very convenient, or what a GPG key is used for usually.