I’m not sure why all this PGP/GPG bashing is needed to make an argument for not providing PGP/GPG sigs anymore.
Just to set the record straight: you are comparing apples to oranges when comparing PGP/GPG sigs to sigstore.
PGP/GPG works much like SSH keys, whereas sigstore works similarly to CA based TLS, with a central authority signing keys.
With sigstore, you have to trust the CA. With PGP/GPG you can choose to trust the person signing the data individually.
Now, PGP/GPG is not dead at all. It’s being used for email encryption in e.g. Thunderbird, and it’s the main authenticity provider in many Linux distributions. Just like with SSH keys you assign trust to one by one, the latter ask you whether you want to trust a particular key or not.
Of course, just like the CA based trust model, the PGP/GPG trust management model has its downsides.
Finding out whether to trust a key or not is left to the user and detemining the trust level can sometimes be difficult. OTOH, with the CA model, you simply pass this task on to third parties and have to trust those doing a good job.
In the end, there are pros and cons to both approaches.
Now, it’s well possible to work around the issues mentioned in the PEP and in some of the comments on this PEP topic, related to having to manage individual PGP/GPG keys for producing sigs: just like many other projects do, you simply use a single project key for all releases.
Signing can then be done automatically using a CI/CD process… in much the same way, PyPI is advocating cutting releases of packages today. This would eliviate the need for manual interaction by the RM and also removes the need for the RMs to maintain personal PGP/GPG keys - those can be managed in a central place and also easily rotated on a regular basis.
So taking all this into account, the PEP proposes a switch from putting trust into a handful of PGP/GPG keys to trusting a third party sigstore CA doing a good job.
I think the PEP ought to put more emphasis on this aspect, rather than using the new shiny thing is so much better and we should all use it approach.
I still believe that providing both sigs is a good service to the Python community, since both have their stengths and weaknesses.