"I would imagine many people would just verify the SHA256 signature alone and not the PGP message and that is no difference from not verifying it."So do not put the hash in the signature to prevent someone from using the hash easily without checking the signature.
Ok, that's an argument I understand
However, I personally think that as it is now, most people do without verification altogether.
Edit:
My problem here was the following:
Checking the signature is easily possible.
Checking the file via hash also no problem.
It was not possible to check the file only with the PGP signature without hash.
Even with the instructions it is too heavy and impenetrable
A DOS input is required. At least here, most people will probably give up.
Therefore, checking the hash in the signature would be much easier. So more people would do it that way.
It is also true that people are afraid and want to make sure they are smart and anyway go the right way and will also check the signature.
The others who are reckless will not even do a test.
By withholding the hash in the signature, it is now difficult for people who want to do it right.