It looks like the F-Droid signing key is not reachable from the strong set of the network of trust (i.e. there is no valid path of signatures from the largest connected component of the network of trust to the F-Droid key), so I am having hard times establishing trust to the key.
What other sources/proofs (other than the F-Droid documentation) are there which could be used to establish trust to the F-Droid signing key?
Thanks for the replies and your efforts to improve the security of F-Droid. However, I get the impression that you are talking of using PGP keys for F-Droid repositories, whereas my concern is the F-Droid client itself.
As long as the PGP key which is used to sign the F-Droid APK is not reachable from a key I trust and its fingerprint is not validated by other sources (e.g. blogs of developers, slides in public talks etc.), the only source of trust to the F-Droid APK is the F-Droid website, so PGP does not add any extra security to the existing HTTPS infrastructure. (And I personally find extra checks like PGP signatures important because though unlikely, the web server which serves the APK or the certificate authority who provides the SSL certificates might be compromised.)