One of zap.store goals is to finish what PGP never could.
I share your concern and to bridge the PGP-nostr gap we have NIP-39 cryptographic identities that soon will be integrated into zapstore-cli.
https://github.com/nostr-protocol/nips/pull/1335
Other tools could be built to leverage these events and feed them into Openkeychain for example.
That said, you mention "updates" and a phone which I suppose is Android. Keep in mind that the OS handles this verification for you, so no worries except on first install.