Signing with nostr keys vs gpg or whatever else wouldn't make much difference in case of compromise tho, unless you could really ensure that all package signing keys are using a hardware signer and that the key never left the signer (think hsm/hardware wallet) so that just a compromise of devs machine wouldn't be enough, you would also need physical access

Or using multisig approach with multiple parties needing to sign (and some of them not being known) could prevent some of it