They are also correct, but that's indeed not what the person you replied to said.

> then why haven't alternatives ^W replacements been produced for decades?

Actually we do have alternatives for it.

For example Git supports S/MIME and could absolutely be used to sign commits and tags. Even just using self-signed certificates wouldn't be far off from what PGP offers. However if people used their digital IDs like many countries offer, mission-critical code could have signatures with verifiable strong identities.

Though there are other approaches as well, both for signing and for encrypting. It's more that people haven't really considered migrating.