Automated package building usually looks like this:
wget http(s)://... | tar x
make
package
sign_with_gpg
upload_to_ftp
Only if a package maintainer gets involved there is a chance that release signatures are actually verified. But even then, a whole lot of upstream projects just don't sign their releases. Some distros don't sign their packages, either. Or even their ISOs (iirc Linux Mint only started doing this fairly recently).
Also, "web of trust" only works for a tiny subset of people. If I'm a "lone wolf" FOSS developer, my key won't be signed by anyone, there won't be any WoT to verify. Downstream packagers just have to swallow that or TOFU.
> Also, "web of trust" only works for a tiny subset of people. If I'm a "lone wolf" FOSS developer, my key won't be signed by anyone, there won't be any WoT to verify. Downstream packagers just have to swallow that or TOFU.
One way to mitigate this nowadays is through services like keybase.io, which allow you to aggregate evidence for the authenticity of your key from social media accounts and websites. You can also do this yourself by posting your PGP fingerprint in many different places. These methods make it much more difficult for someone to create a new key in order to impersonate you. Accordingly, it's easy to trust that a key really belongs to a certain person -- even if there are no signatures on it -- when there's a long history of evidence from many different sources that would collectively be very difficult to spoof.
Also, "web of trust" only works for a tiny subset of people. If I'm a "lone wolf" FOSS developer, my key won't be signed by anyone, there won't be any WoT to verify. Downstream packagers just have to swallow that or TOFU.