I wonder if you realize the Catch-22 in this whole thing:
A distrusted message on a distrusted web forum links to a distrusted website which is supposed to inform how to download data from another distrusted website (which is well known to be unreachable in whole countries), then verify a PGP signature using software and keys downloaded from the same distrusted (and potentially unreachable) infrastructure.
Parallel to that, you admit that “we actually trust GitHub quite a bit”, and one reads that there is some supposedly ongoing work (deprioritized and left behind for 6+ years), i.e. that in some indeterminate future there may be actual distrust, but meanwhile it is just theoretical. IOW, from the 3 items listed in the last link, the only one that stands out as actuality is the free beer.
What is your suggested alternative course of action?
The only alternative to contradiction is the lack of it.
Privacy is also a contradictory subject.