I think one problem with using ssh key instead of gpg/pgp key for signing data is key to people mapping, for lack of a better word.
I can't speak about others, but for myself I use a single gpg key across all my machines, but I use one ssh key for each of my machine. When I replace a machine with a new one, I don't move/transfer that key to the new machine, I just generate a new key on the new machine and revoke my old key everywhere. To me a ssh key does not map to me, it maps to me and a machine combination. If I use an ssh key to sign something then after a few years I replaced that machine, that key is no longer used anywhere, and the verification can start to become tricky (I'll certainly remove it from my github, which invalidates the key distribution way proposed by the article).
I also always use name@machine to name/annotate my ssh keys, but github's name.keys strip that info (for good reasons).
So this is probably good for short lived signing needs, but for something that needs to be verified long into the future (git commits/tags), I don't think this is a good idea?
I can't speak about others, but for myself I use a single gpg key across all my machines, but I use one ssh key for each of my machine. When I replace a machine with a new one, I don't move/transfer that key to the new machine, I just generate a new key on the new machine and revoke my old key everywhere. To me a ssh key does not map to me, it maps to me and a machine combination. If I use an ssh key to sign something then after a few years I replaced that machine, that key is no longer used anywhere, and the verification can start to become tricky (I'll certainly remove it from my github, which invalidates the key distribution way proposed by the article).
I also always use name@machine to name/annotate my ssh keys, but github's name.keys strip that info (for good reasons).
So this is probably good for short lived signing needs, but for something that needs to be verified long into the future (git commits/tags), I don't think this is a good idea?