It's not only that it's hard, everyone does it wrong.

Blindingly trusting a pgp public key is just security theatre. Most users don't really have a trust model for keys they accept as authentic.

Current best solutions are TOFU using WKD or keyservers. Using keyservers os worrying since anyone can submit a key, not to mention you're trusting the keyserver.