You can build a signing chain, but it collapses the separation. If the nsec signs each new PGP key, the Nostr key becomes a permanent root authority and a single compromise breaks the entire lifecycle. The whole point of coordinating two systems is to avoid that failure mode. With deterministic epochs, clients can verify rotation without deputizing nsec as a god key. Once you have a stable root, rotation is just schedule + client support. Everything else is implementation detail.