It was just pointed out to me that Debian hasn’t been using GPG to verify upstream tarballs, and I am about to fix that.
As to sigstore, we’d need to support it in our uscan tool, to have automated verification happen. To include the signature in our source packages, as PGP signatures are, we’d need to modify dpkg-source, and possibly the archive, to support storing them. It’s hard to motivate that change for a single upstream. I know there are other ecosystems supporting it, but I’ve never run into any doing so actively.
So… we can use GPG and really should. I’ll do that. If it were dropped, we’d rely on local manual verification (probably forgotten), rather than being able to migrate completely to sigstore.