The cryptosystem behind it is called The Update Framework[0], and provides a lot more flexibility and protection than PGP (on top of using modern crypto).
Don't worry about the "web of trust". Typically this would just mean that your company publishes signed containers, and your company's servers can verify those same containers.
Doesn't that presume that the base image upon which those in-house images are based is also trusted? Don't get me wrong, I'm not trying to be chicken little, but I don't think saying "we only publish our own images so we're ok" skips the authenticity problem.
Running your own registry is probably the case you had in mind.
Paraphrasing one of my colleagues, ensuring what you're installing doesn't do anything evil is basic hygiene, it applies to all software, not just Docker containers. Notary can provide you cryptographic guarantees that the base image you're using did indeed get published by Ubuntu, or RedHat, or even me, and hasn't been tampered with between their build system and you. It's up to you whether you decide to trust those publishers.
Well you could run a registry but that decision is orthogonal to the task of verifying what you're installing, or of signing something that might be installed somewhere else.
