Provide gpg-self-signed SSL certificate to enable meaningful certificate pinning
I suggest publishing a GPG-self-signed SSL certificate for the website, in order to enable meaningful certificate pinning.
To avoid forcing ignorant users to have to deal with warning messages for the self-signed certificate, the GPG-self-signed SSL version of the website would be published on a different port number, and so the standard SSL port number can continue to serve the SSL CA-signed (but therefore less trusted) content.
An attacker on Tor users in a country may succeed simply by modifying web site documentation (via on the fly certificate rewriting) to give the wrong advice. It matters little then that the software itself is GPG-signed.
For a website example, the https://dev.mutt.org/trac/ website utilizes a GPG-self-signed SSL certificate (but doesn't provide a CA signed certificate). See description on that page.