GPG, also known as GNU Privacy Guard, is very commonly used to digitally sign files in order to guarantee their authenticity. Like SSH, GPG also has a public-private key pair. Public key is shared and private key is kept secret. Every repository, be it a CentOS, Ubuntu or a third party repository, is signed with GPG keys by its provider. When you add a repository to your system, and enable its GPG Key, the public GPG key from the provider is added in trusted GPG keys on your system. This ensures that your Linux system trusts the packages coming from the repository.