With regard to an equivalent of source signing, that’s a little murkier. The source hashes end up in nixpkgs, but the nixpkgs ‘channel’ doesn’t seem to be explicitly signed; various bits of discussion I found:
- How to deal with package signing? · Issue #613 · NixOS/nix · GitHub
- [RFC 0034] Expression Integrity by lrvick · Pull Request #34 · NixOS/rfcs · GitHub
- Review security of nixpkgs commit process · Issue #20836 · NixOS/nixpkgs · GitHub
- [RFC 0100] Sign commits by L-as · Pull Request #100 · NixOS/rfcs · GitHub
- Git-verify: in-band commit verification