Just FWIW from the Windows side (and probably the macOS side), the GPG sigs are entirely redundant with the native OS embedded signatures we use, and the only reason we still do them is because people shouted last time we stopped.
Their argument IIRC was that they wanted to validate our artifacts automatically and let us know if we had been hacked, and to do it from Linux without needing any specific Windows or macOS logic. This isn’t any particular benefit to us, IMHO, but the shouting stopped when we did the sigs again, and at least for Windows they’ve been automated ever since.