[Cryptography] Does PGP use sign-then-encrypt or encrypt-then-sign?

[James A. Donald]

Since one does not want contact tracing, why make it easier by exposing 
your durable public key on the outside?

Append your durable public key to message plaintext, or append an 
identifier from which your public key can be located.  Mac the plaintext 
message with a shared secret created from your durable secret key and 
the recipient's durable public key.  (This form of signing proves to the 
recipient that a person with your secret key signed the message, but 
does not enable him to prove that to anyone else)

Create a transient secret key and corresponding transient public key. 
Create a transient shared secret from the transient secret key and the 
recipient's durable public key.

Using the transient shared secret, symmetrically encrypt then Mac, or 
perhaps use an authenticated block encryption mode.

Append the symmetrically encrypted and maced message to the transient 
public key, and send it.

Recipient derives the same transient shared secret from his durable 
secret key and the transient public key, (which is why we call that 
secret "shared") then checks the mac, then decrypts.  After decryption, 
checks the signature, the inner mac.