I was just looking at the ethereum package and I typically try and validate the signature when I install it myself. It doesn’t seem like it’d be too hard to hard code the public key of creator of the software package and grab the signature & the download as part of the build process.
This could add just another step that an actor would need to modify to introduce a malicious package.
I saw that larger initatives for package signing have not made it through the early RFC/discussion stages (e.g. #613 and RFC0034) but this seems much more limited and could be introduced package by package.
What do y’all think? Worth the effort?