@whynothugo Any half-baked software can do the crypto part of signature verification somewhat correctly, OpenPGP problems are due to everything around it being pretty much broken.
If you verify a signature it shows you the key-id which you can't remember, and the email+fullname which you can remember but aren't trustable fields (even with trust levels, those are for key ids, and do not even freeze the fullnames or emails).

Plus a lot of the usage of OpenPGP isn't for email but for things like signing commits, packages, ISO images, … where the trust model of OpenPGP quite falls flat unless you make up your own layer where key IDs are verified to match what they're supposed to verify, so you don't trust a random key in your keyring (or worse fetch the key automagically and move on).

Which is quite why I end up having more trust on a checksum file downloaded from a trusted server (not a CDN/mirror-site) over HTTPS (where x509 provides hostname authentication) or included in a distro tree, than an OpenPGP one where if I wanted to trust it, I'd need to have an OpenPGP implementation which works like signify (like what gentoo does in verify-sig.eclass).