Redhat (pre-RHEL) solved package signing around 1999 with RPM 2.0/3.0 by using PGP and later replacing it with GPG. Debian solved it around 2003 by also using GPG.
With truly reproducible builds, it's possible to introduce distributed caching of artifacts and selective probabilistic rebuilds from source to attest/verify integrity in a distributed manner.