Hi Stephan,
No, it's not really possible for HashiCorp to add trusted signatures due to the distributed nature of PGP's web of trust. What GPG is warning you about is that neither you nor anybody whose key you have personally gone out of your way to explicitly trust has signed the HashiCorp key. And HashiCorp really has no idea whom you personally trust. It's not like in the HTTPS world where there are literally hundreds of trusted issuers that generally everybody trusts. Instead, in PGP, the trust is completely decentralized.
Hope this helps,