Is the reason the DMG (and possibly the EXE/MSI windows binaries as well - tar.gz does not support signatures anyway) is not signed because of the complexity of getting and maintaining a code-signing certificate from a 3rd party? I would like to hear the developers' stance on this.
The Windows binaries for release 23.0 (and IIRC 22.0 as well) were indeed signed by a Microsoft code signing certificate. One of the recent release wasn't signed because the certificate was expired at the time of release (if I remember correctly,) but that's an exception not the rule.
1 questio - Why after -Why did a lot of participants appear in the keys after 3 actions if I added only 1 -Michael Ford?
The .asc file has many signatures in it, including Michael Ford's signature. The GPG verification process checks all the signatures in the .asc file, regardless of how many (or few) developer keys you've imported into your keyring.
2 question - the shazam -256 SHA256SUMS.asc command what does it have to do with checking the "bitcoincore" installation file? I can 't get the gist of it .
the output of the command: a valid user signature gives additional confidence that the installation file "bitcoincore.dmg" is really good?
I'm sorry if I misunderstand you, there might be some confusion due to a language barrier. You don't need the sha256 hash of the SHA256SUMS file. Use GPG to verify the SHA256SUMS file with the signature file, which is named SHA256SUMS.asc. Once the SHA256SUMS file has been verified with GPG then you know the sha256 hashes within the file are authentic. Now you can check the sha256 hash of the bitcoincore.dmg file, and it should match the corresponding hash you find in the SHA256SUMS file.
3 question -checking the sha256 installation file is not enough to make sure that the file is good?
No. That only provides half of the verification to ensure the file is good.