I don’t have much experience in the realm of gpg. My experience is mostly with TLS. From what I know, if you’re doing client authentication, you encrypt your message with your private key, and then the public key on a cert is used for validating that the message actually came from you.
I think code signing is similar to client auth, but not positive. Again, I use TLS, but I’m not a professional
The client sends a CertificateVerify message, which is a signature over the previous handshake messages using the client’s certificate’s private key. This signature can be verified by using the client’s certificate’s public key. This lets the server know that the client has access to the private key of the certificate and thus owns the certificate.
I don’t have much experience in the realm of gpg. My experience is mostly with TLS. From what I know, if you’re doing client authentication, you encrypt your message with your private key, and then the public key on a cert is used for validating that the message actually came from you.
I think code signing is similar to client auth, but not positive. Again, I use TLS, but I’m not a professional
https://about.signpath.io/code-signing/theory#%3A~%3Atext=Software+publishers+use+a+secret%2Cpart+of+the+distribution+package.
Edit:
What I found from Wikipedia:
The client sends a CertificateVerify message, which is a signature over the previous handshake messages using the client’s certificate’s private key. This signature can be verified by using the client’s certificate’s public key. This lets the server know that the client has access to the private key of the certificate and thus owns the certificate.
https://en.m.wikipedia.org/wiki/Transport_Layer_Security#Client-authenticated_TLS_handshake
This is TLS authentication via SSH, which is a completely different ballgame than using SSH keys for data encryption, decryption, and verification.