Even then, the consumer of the package is still dependent on the security practices of the holder of the key. It's more secure, but still not something you can depend on universally as a consumer.

"I promise you can trust me" is not something you can trust.

What do you propose then? If you can't trust the person, then why trust them at all? That argument doesn't make sense.

No one (absolutely no one) should be trusting a human being to be 100% infallible when it comes to security. That's what I'd propose, without even going into the topic of the fallibility of software.

If you're interested in the topic, there are many good papers and studies on how we can't even trust ourselves when it comes to basic things like memory and honesty (with ourselves).

Even then it doesn't matter because you are signing an insecure hash.