I think @iancarroll is pointing out that you seem to be conflating signature and identity verification. They are different concerns, yet both are both necessary for secure software distribution.
Fine if you reject web-of-trust style identity verification, but your notion of "web identity verification" is not in any way a good substitute for code signature verification. What if someone compromises your hosted repository? Unless your artifact were already cryptographically signed, no amount of identity verification is going to help you.
That's very true. That's why Bintray has both "web identity verification" and pgp signing, while Maven Central gives you signing only, without a way to really identify the author.
There are various other flaws in it and he doesn't seem to understand how the PGP WoT works...