Interesting point in this talk: The APT team is already working on non- PGP signatures.
https://wiki.debian.org/Teams/Apt/Spec/AptSign I can see the advantages of that for release signatures which use a rarely changing set of keys. However, I do not see any good alternative for PGP for personal signatures such as developer communication and maintainer uploads. PGP is really handy because once trust of the key fingerprint for a person is established, the person can easily make changes such as adding subkeys, editing the expiration date, revoking keys, etc. at any time. This would also be less convenient with a CMS-PKI-CA-hierarchy based system. Regards Stephan
signature.asc
Description: This is a digitally signed message part