[Spivak]

"but it doesn't prove anything other than that a particular build was made by a certain person."

But that's what trust actually is. This IRL person or identity, that I trust, vouches for the non-maliciousness of this application.

[Nasrudith]

Except the core problem is key propagation because just anyone can have a key - paid or free if you don't know the source. It says it is from Globe Software and it matches with the provided key. It doesn't tell you if they really are Globe Software, let alone if they are a trustworthy company in the first place.