My current trust anchor is:
    => LibrePGP's
    => keyfile

    $ gpg --auto-key-locate dane --locate-keys stargrave@stargrave.org
    $ gpg --auto-key-locate  wkd --locate-keys stargrave@stargrave.org
    $ gpg --auto-key-locate  wkd --locate-keys stargrave@gnupg.net

But it lacks post-quantum resistant signing algorithms.
So there are more simple and advanced:
    => KEKS/CM's
    => signing public key
    => encryption public key

I used to sign software tarballs with OpenPGP/LibrePGP keys.
Later I moved to using of OpenSSH ssh-keygen's signing capabilities.
But because it is not PQ-ready too, I also tend to sign with KEKS/CM.

=> PGP keyring with previously used keys
=> Its detached PGP signature
=> Its detached KEKS/CM signature

=> Fingerprints/keys
=> Its detached PGP signature
=> Its detached KEKS/CM signature