[SethMLarson]

Hello! Great question.

I tried to cover this in PEP 761, this comes down to a few things:

Python release managers don't want to use PGP due to the ergonomic burden. They are volunteers too, after all. This is the key point, and we are making that sentiment clear early (and with an extendable timeline also defining who gets to choose: Steering Council) so that everyone else can plan and take action.

There have been past efforts to stop using PGP that failed likely due to a lack of alternative. Now there is an alternative, but having an alternative is not enough. Verifiers need to start using the new method. It's been 2 years and no Linux distributions support verifying with Sigstore.

From my perspective there has been little to no work to look into Sigstore and whether it's usable by Linux distros. There's a gap in understanding about how Sigstore works in some places. I would not have this perspective without starting this conversation, I've been sharing all the feedback with Sigstore folks along the way.

I hope this provides more context into the "why". This is why "do both forever" is not a solution for us.