I glanced through [1]https://news.ycombinator.com/item?id=27586146
   which has some dialog with a debian supporter of the new non-pgp
   system.
   The plan appears to be to store the new keys in files (e.g.
   installation media) that is still pgp-signed (not certain) at this
   point, since the change is only for apt and not media images.
   So things can still be verified fully using the web of trust, but the
   process for doing that is still an obscure and bloated one without
   tooling.

References

   1. https://news.ycombinator.com/item?id=27586146