GPG still could be much better for those applications. For example, it is still impossible to do GPG multi-sig (e.g. have the application developer and the distribution release manager sign off on the binaries).
At the expense of lower validation speed and requiring every higher level protocol using the signatures to be aware of whatever signing scheme you are using.
reply