Sign arbitrary data with your SSH keys

> GitHub acts as a trusted third party here, and you have to trust them not to lie about people's public keys, so it may not be appropriate for all use cases. But relying on a trusted third party with a professional security team like GitHub seems like a way better default than PGP's Web of Trust, which was nigh impossible to use.

Hopefully that's a false dichotomy and the entire Free Software community doesn't end up reliant on Microsoft to host all our keys for us. The article goes on to mention key transparency, though, which does seem like the right solution.

I note that rekor (the transparency log implementation used by sigstore) already supports signing with SSH keys[0], so this TechRepublic article about it[1] from March (which lists only "GPG, x509 and Minisign") is already out of date.

[0] https://github.com/sigstore/rekor/blob/main/types.md#ssh

[1] https://www.techrepublic.com/article/a-new-linux-foundation-...

Thanks for the insight and links!

And really... > relying on a trusted third party ... like GitHub seems like a way better default than PGP's Web of Trust

Made me scream: "What??" I'd personally prefer some decentralized torrent-like way of user key distribution.

Distribute your public keys via DNS TXT records:

https://www.go350.com/posts/age-file-encryption/#age-pki-iss...

That only creates a link between SSH keys and a domain; It's even worse than relying on GitHub since you have to trust that multiple account haven't been hacked (registrar + DNS) and that neither the DNS host nor the registrar are acting maliciously.