[asimpletune]

In just the most general sense, you do this by associating a public key with something else that is already presumed to be trusted, eg belonging to the alleged owner.

For example, a DNS record belonging to twillio.com, saying their npm public key is “xyz”.

Then, to the point others mentioned here, you include the logic to verify this in the package managers, ie compare the signed package with the trustee public key. Although the verification would also be something that could easily be done by a human as well.

Your points of failure here are a) trusting the DNS system, which is acceptable for most use cases, and b) trusting the package manager, which is a similar situation to a above.

There are a few types of dns records that are meant for this already, depending on the specific, but probably a txt record is fine and I think what most people do now, though I could be wrong about that.