I think that gpg signature verification is something that belongs in maintainer-facing tools rather than in Portfiles. If the maintainer verifies the distfile's signature before updating the checksums, the user gets close to the same assurances while avoiding a lot of complexity.
I always verify before updating if the project provides signatures, and I would hope others do the same, but also wouldn't be surprised if some don't. Better tools might help improve things. - Josh
