The pubkey is delivered with the CD and signed with gpg, listed on public server.

This is no longer secure then trusting the CA list in the preinstall Windows in pc.

This is a good synthesis here -- downloading and trusting a key over HTTP is folly, but then, so is trusting much of anything that "just works."

If the whole PKI approach is to work, client has got to get trusting that public key right. In regular practice, that probably means checking it against a HTTPS-delivered version of same from an authoritative domain.

(How far down the rabbit hole do we go? Release managers speaking key hashes into instagram videos while holding up the day's New York Times?)

You joke, but we've seen with machine learning you can fake those kinds of "proof" videos too :P