IME, many people want a very simple "sign this file" interface with a few complicating bells and whistles tacked on: certificate chains (maybe authorities, maybe TOFU/HPKP-style pinning), weak cipher rejection, and crypto hardware support.
That's not that hard in the scheme of things but it's definitely not trivial either, especially supporting weird HSMs.
Until something well supported, modern, and easy to use can do the above uncontroversially for 5-10 years gpg is going to see lots of misuse.
That's not that hard in the scheme of things but it's definitely not trivial either, especially supporting weird HSMs.
Until something well supported, modern, and easy to use can do the above uncontroversially for 5-10 years gpg is going to see lots of misuse.