Why git sign using GPG keys instead of using SSH keys?

The very first concept of signing anything in Git was mentioned in commit ec4465a, Git v0.99, April 2005 (pretty much from the beginning)

/**
 * A signature file has a very simple fixed format: three lines
 * of "object <sha1>" + "type <typename>" + "tag <tagname>",
 * followed by some free-form signature that git itself doesn't
 * care about, but that can be verified with gpg or similar.
 **/

      

        
        
        
      

    

So your question has legs.

The very first signed commit used gpg, but could have used something else ( commit 65f0d0e ):

#!/bin/sh
object=${2:-$(cat .git/HEAD)}
type=$(cat-file -t $object) || exit 1
( echo -e "object $object\ntype $type\ntag $1\n"; cat ) > .tmp-tag
rm -f .tmp-tag.asc
gpg -bsa .tmp-tag && cat .tmp-tag.asc >> .tmp-tag
git-mktag < .tmp-tag
#rm .tmp-tag .tmp-tag.sig

      

        
        
        
      

    

Technically, you can use gpg instead of ssh . Although I have not often seen the opposite.
But you can use ssh key pair for PGP / GPG .
This means that the first validation script may still work ( commit f336e71 ) ... except that it was expecting a PGP comment:

#!/bin/sh
GIT_DIR=${GIT_DIR:-.git}

tag=$1
[ -f "$GIT_DIR/refs/tags/$tag" ] && tag=$(cat "$GIT_DIR/refs/tags/$tag")

git-cat-file tag $tag > .tmp-vtag || exit 1
cat .tmp-vtag | sed '/-----BEGIN PGP/Q' | gpg --verify .tmp-vtag -
rm -f .tmp-vtag

      

        
        
        
      

    

So, "why is git signed with GPG keys and not SSH keys?": This is exactly what GPG is for, unlike SSH, which cannot only do with openssh (it requires openssl) .

As Torek commented , using SSH would be theoretically possible, it's just not convenient.

Also, PGP has additional features (not that Git uses them directly - Git itself just calls some external software, but things like key revocation are useful in these contexts).