> To be frank, at this point, GPG has been a lost cause for basically decades.

Why do high-profile projects, such as Linux and QEMU, still use GPG for signing pull requests / tags?

https://docs.kernel.org/process/maintainer-pgp-guide.html

https://www.qemu.org/docs/master/devel/submitting-a-pull-req...

Why does Fedora / RPM still rely on GPG keys for verifying packages?

This is a staggering ecosystem failure. If GPG has been a known-lost cause for decades, then why haven't alternatives ^W replacements been produced for decades?

Let's not conflate GPG and PGP-in-general. RPM doesn't use GPG, it uses Sequoia PGP.

GPG is what GP is referring to as a lost cause. Now, it can be debated whether PGP-in-general is a lost cause too, but that's not what GP is claiming.