What are the differences between SSH and GPG asymmetric keys and why does git support signing with GPG rather than using the SSH agent?
解决方案
The very first notion of signing anything in Git was referenced in commit ec4465a, Git v0.99, Apr. 2005 (pretty much from the very beginning)
/**
* A signature file has a very simple fixed format: three lines
* of "object " + "type " + "tag ",
* followed by some free-form signature that git itself doesn't
* care about, but that can be verified with gpg or similar.
**/
So your question has legs.
The very first signed commit used gpg, but could have used anything else (commit 65f0d0e):
#!/bin/sh
object=${2:-$(cat .git/HEAD)}
type=$(cat-file -t $object) || exit 1
( echo -e "object $object\ntype $type\ntag $1\n"; cat ) > .tmp-tag
rm -f .tmp-tag.asc
gpg -bsa .tmp-tag && cat .tmp-tag.asc >> .tmp-tag
git-mktag < .tmp-tag
#rm .tmp-tag .tmp-tag.sig
Technically, you can use gpg in place of ssh. I haven't seen often the reverse though.
But you can use an ssh key-pair be used with PGP/GPG.
That means the first validation script might still work (commit f336e71)... except it expected a PGP comment:
#!/bin/sh
GIT_DIR=${GIT_DIR:-.git}
tag=$1
[ -f "$GIT_DIR/refs/tags/$tag" ] && tag=$(cat "$GIT_DIR/refs/tags/$tag")
git-cat-file tag $tag > .tmp-vtag || exit 1
cat .tmp-vtag | sed '/-----BEGIN PGP/Q' | gpg --verify .tmp-vtag -
rm -f .tmp-vtag
So, "Why does git sign with GPG keys rather than using SSH keys?": it is what GPG is meant to do, as opposed to SSH, which cannot do with openssh alone (it needs openssl).
As commented by torek, using SSH would be theoretically possible, it's just not convenient.
In addition, PGP has extra features (not that Git uses them directly—Git itself is just invokes some external software—but things like key revocation are useful in these contexts).