Not every shared host is going to have PHP extensions for all of that. The protocol does elegantly handle key rotation but the burden of verification falls entirely on the consumer.

Could this verification be offloaded to the client in WASM? PHP could fetch the ZIP file and signature, and then they could be loaded client-side for verification, and then PHP could proceed with installation once verified.