Of course, but this is nonetheless the view for typical end users.

And THIS is the problem. Yeah the app is a pain to install, but security is a mindset, not just an app.

I even wonder how many people download an ISO or installer from a website, and do any sort of due diligence to find the signer's key from another 3rd party location, then verify previous builds, or require multiple signers of a key to give any semblance that the key is not fake? Or do we all just download the ISO and the .iso.asc file from the links provided and call it good? Even security minded people can be lazy in this situation.