Since this is coming from the GNU folk, they naturally have their inclinations towards open-source software, but I'd argue (and they probably would too) that reproducibility is a much stronger invariant than just code signing.
Bootstrapping everything from a tiny first stage compiler and getting bit-identical compiled outputs is a much higher level of confidence than PKI offers, as PKI can be cracked, stolen, made to sign things it shouldn't, etc. Even if the signature is legit, it doesn't help you against insider risk (e.g. internally added backdoors) on closed source software.
These are all things governments (should probably) care about.
Bootstrapping everything from a tiny first stage compiler and getting bit-identical compiled outputs is a much higher level of confidence than PKI offers, as PKI can be cracked, stolen, made to sign things it shouldn't, etc. Even if the signature is legit, it doesn't help you against insider risk (e.g. internally added backdoors) on closed source software.
These are all things governments (should probably) care about.