I share your concern and to bridge the PGP-nostr gap we have NIP-39 cryptographic identities that soon will be integrated into zapstore-cli.
https://github.com/nostr-protocol/nips/pull/1335
Other tools could be built to leverage these events and feed them into Openkeychain for example.
That said, you mention "updates" and a phone which I suppose is Android. Keep in mind that the OS handles this verification for you, so no worries except on first install.
quotingWould be nice is there was a nostr based pgp key store for nostr apps. Like the devs sign a note with their public pgp keys to a few dedicated relays so we could import them into openkeychain.
nevent1q…jg7h
Lots of updates flying around and it would be nice for users to have a standard way to verify nostr app releases on the phone.