In short: The gpg version I had running back then still used sha1 has a default digest to generate the base signature attesting to the first subkey generated automatically during key generation. Like a good citizen, I changed the default digest algorithm to something strong, generated the remaining [a]uth and [e]ncrypt subkeys with this configuration, and changed the expiry on all of them. Turns out, gpg never refreshes the base signature even you tell it to update a subkey, or change its configuration. So when the Bitcoin Core commit signature verifier ran with a strict no weak algos policy it tripped over this weak base signature.