If no-one is vetting all that source code and vouching for it by signing something, then perhaps the value of an ideal system like this is undermined. In which case perhaps it becomes the signatures and value of identity, that has the main value. And we already sign our downloads, albeit with the nightmarishly painful experience that is GPG.