Here is a proposal for distributed WordPress package signing:
1. The system relies on users adding the public keys of trusted vendors to their site settings. The update API then includes Ed25519 signatures of SHA256 ZIP hashes in the HTTP headers of the updates.
2. This approach could work seamlessly with a Composer for automated CI/CD installs through a custom plugin.