Oof, TLS isnt a replacement for signatures. There’s a reason most package managers use release sognstirse. x.509 is broken.

And, yes PGP has a WoT to solve its PKI. That’s why we can trust apt sigs and not docker sigs.