I see some people sign the md5sums and some people sign the ISOs, from what I understand the advantage of signing the md5sums is that it's a quick operation to sign a one line text file, while it takes a long time to sign a ISO, but if you sign the ISO if you verify the signature you don't need to verify the md5sum too, am I right? (It's still good to provide md5sums because some people don't bother to verify signatures)
Oberon from Manjaro recommends gpa
which seems to be a self explanatory GUI for GPG.
From security standpoint signing the .iso or the iso.md5 is (almost) equivalent. A signature also provides the security service of integrity, so you don't need to verify an md5sum.
The trade-off would be in terms of performacne vs. ease of use. It seem to be obviously faster to sign an iso.md5 (or iso.sha1) which you need to have calculated before.
But in fact it is not so obvious, because it also depends on the machine. Mine takes very long (several minutes) for md5sum checks, but it takes much less time (half a minute) for a signature check of .iso file. Well, you need to import the key once for each distro.
MX-14 on a Via Eden 1GHz CPU thin client, 3GB RAM, Via VX800 chipset, Via Chrome9 HC GPU, 32GB M.2 SSD;
btrfs with @ and @home subvolumes for MX-14;
added @antiX and @antiXhome subvolumes and copied antix 13.1 base into them, adjusting Grub from MX-14.