Do I need a separate ssh authentication and ssh-git signing keys?

Is it make sense?

Or using one SSH key for both purposes is secure?

It kind of depends on what your goal is.

There's no technical reason you can't use one key for both. SSH authentication and SSH data signing are both applications of digital signatures, and the way signatures are done with OpenSSH avoids confusion between the two since domain separation is used.

In some cases, you might want a long-term signing key that you plan to use longer than a typical authentication key (I typically rotate authentication keys every time I get a new laptop). In such a case, it would make sense to have them be separate. Another case where it might make sense to have them separate is if your signing key is on a YubiKey or similar security key, and your authentication key is not.

Note also that you'll want to take extra care to protect any key you use for signing since authentication signatures expire quickly (with your SSH connection), whereas Git commits may need to be verified years later. However, assuming you do so, there's no reason you can't use the same key for both.

The GitHub documentation "About commit signature verification" includes:

> SSH signatures are the simplest to generate.
You can even upload your existing authentication key to GitHub to also use as a signing key.

Meaning, you can use one key for both.

> Generating a GPG signing key is more involved than generating an SSH key, but GPG has features that SSH does not.
A GPG key can expire or be revoked when no longer used.
GitHub shows commits that were signed with such a key as "Verified" unless the key was marked as compromised. SSH keys don't have this capability.

That is why I always prefer using one SSH key per task. If there is an issue with one key, I know at least what it was used for.