I'd argue the point of PGP is that advanced/paranoid users can verify the package was signed by the trusted developer. Most other signing options like those built into package managers or Windows MSI packages, rely on the central entity, Ex: Microsoft, Canonical, RedHat and so on. Fdroid does the same on android. Mozilla for Firefox, Google for Chrome and so on. Central authorities sign packages, NOT the developer. The trust is placed in the central authority not to tamper with the code, between the developer and the user. I believe you are being dishonest saying it's not useful. Its very useful for its intended purpose. Its widely used in commercial integration pipelines, that require authentic source from upstream developers. You can't do everything for the user, they have to learn and care about it. Otherwise you are deferring responsibility anyway, then you might as well set up a central trusted authority like an app store, I'd argue that's a more secure option for people that won't ever bother to learn code signing. PGP bridges the gap between trusting app stores for normies and those who care about the authenticity of code. Along with marginal friction for developers. Key distribution will always be difficult. We could sign package with secp256k1, I've even been tempted to do that as a concept myself, but we still haven't solved good key distribution.