Comment by woodruffw

> The package index only hosts the packages, but doesn't release them. The dev releasing the package is who signs it.

I know that; the GP is describing a countersigning scheme, where the package index (qua trusted entity) countersigns for the signing key, which the dev then uses to sign for their package.

> Without an easy way to verify the keys, the signatures are useless. Which is why PiPy is removing the GPG keys all together.

Agreed entirely; I'm the one who wrote the analysis in the linked announcement :-)