What are those better tools? I've been broadly looking into this space, but never ventured too deep.

> To be frank, at this point, GPG has been a lost cause for basically decades.

Why do high-profile projects, such as Linux and QEMU, still use GPG for signing pull requests / tags?

https://docs.kernel.org/process/maintainer-pgp-guide.html

https://www.qemu.org/docs/master/devel/submitting-a-pull-req...

Why does Fedora / RPM still rely on GPG keys for verifying packages?

This is a staggering ecosystem failure. If GPG has been a known-lost cause for decades, then why haven't alternatives ^W replacements been produced for decades?