That's great - PGP signing works for you in your org.

But the fact is it hasn't worked for package repos like PyPi, and it won't for npm, because in a distributed, low-trust ecosystem like npm, you can't easily bind identities to PGP keys or have any confidence in the key management practices of package signers.

And of course "keyless" signing isn't literally keyless. But tools like sigstore remove the need for the management of long-lived keys and can bind a signature to an identity verified by a trusted IdP, solving some of the main issues with adopting PGP signatures.