To scream into the void: Yes, PyPi, someone was using those signatures. Distro package maintainers secured user supply chains with it!
I'm not looking forward to asking dozens of upstreams to host their signatures elsewhere (just stumbled across one case). Meanwhile reproducibility is now broken for those packages.
We experience packager drain on #molecule and #ansible related packages, as upstream knowingly breaks compatibility from time to time and doesn't guard or test against it properly. Instead afterwards suggests to "just pin it" 🤡 (which does not work after the fact in system packaging).
Soon they will have their wish fulfilled when no one wants to touch that stuff for packaging anymore...