Exactly, it would be nice to know that a package collection is indeed created by someone as they claim. A key, on its own, doesn't tell us the "who", and we need to rely on something else to provide us that information. I agree that certificates are not necessary if there is a service that manages the key to identity mappings (such as GitHub in your GPG key example), but in our use-case we are not tying to any of such services.
Yes, plus a signature can be used to check who really created the package collection.
SwiftPM rejects certificates based on the criteria listed above. IIUC, the policy you link might impact collection downloads since it pertains to TLS, but that would be a system level issue and not just SwiftPM.
This is an excellent point and thanks for the link. The signing tool (that we will provide) will definitely apply those rules. i.e., it will not just use the collection JSON file/string "as-is" for the signature.