Exactly. The "PGP is bad because public key infrastructure management is hard" meme should please die already.

The idea of a dedicated package signing and encrypting tool detached from this problem is maybe not a bad idea in that regard, because it removes this stigma.