Is the sort of signing you want to do for code signing related to the sort of signing you want to do as part of an encryption scheme?
This vaguely sounds similar to how RSA decryption/encryption and signing/verification are the same sets of operations, at the primitive level, making it easy to turn a tool that does one in to a tool that also does the other. But the actual high-level signing and encryption systems (e.g. RSA-PSS and RSA-OAEP) are not the same operations at all, and being good at one is no guarantee of being good at another.
This kind of PGP signing is also critical to the security of Linux software repos. Debian repos sign the contents of the manifest (which includes hashes of packages), and Apt repos sign individual files.
This vaguely sounds similar to how RSA decryption/encryption and signing/verification are the same sets of operations, at the primitive level, making it easy to turn a tool that does one in to a tool that also does the other. But the actual high-level signing and encryption systems (e.g. RSA-PSS and RSA-OAEP) are not the same operations at all, and being good at one is no guarantee of being good at another.