Scene groups provide nfo files with their releases. Those nfo files could contain a cryptographic signature proving the authenticity of the rip.
Essentially, the way it works is that for a given group there are two keys: A private key `P` (that only the group has), and a public key `Q` (that everyone has). For a file `F` the "signature" is the output of some function `sign(P, Q, F)`. The function `sign` is specially chosen so that the output can be validated without access to `P`, but cannot be efficiently forged without it.
As other posters have pointed out, this means that if `P` is kept secret then all signed releases can be authoritatively linked to the people who provided them. Finding `P` on someone's thumb drive is a smoking gun. To be honest, I don't think this would be a big worry, but I'm not in the scene and I don't know how the people in it think.
Classic scene groups are not interested in having their releases spreading on torrent sites, so including any signatures would be helping with what they don't want to happen in the first place.
That said, a third party could add a signature. But in practice a cryptographically secure signature isn't even needed. It boils down to a reputation system, so that you can associate a torrent file with quality and this has already existed since forever on sites like the piratebay in the form of uploader usernames. A lot of torrents are uploaded by the same users, users who have a history of quality torrents. In contrast, a hollywood uploader would never have any actual quality torrents in the account history. So in conclusion, this problem was already solved ages ago.
The warez group CORE sign their releases with CRCs in their NFO files. They distribute a checker program called core10k.exe which ironically often turns up with malware injected into it on p2p sites.
Yeah but that is to check the file integrity, that's something entirely different. Anyone can calculate a CRC checksum for any garbage files they want, upload it and label it as a CORE release. There is no way to verify that the release is genuine. And if you temper with an authentic release, for example introduce some malware, you can simply recalculate the checksum itself. This would be impossible if the release would be cryptographically signed because you would need COREs private key to generate a valid signature.
Essentially, the way it works is that for a given group there are two keys: A private key `P` (that only the group has), and a public key `Q` (that everyone has). For a file `F` the "signature" is the output of some function `sign(P, Q, F)`. The function `sign` is specially chosen so that the output can be validated without access to `P`, but cannot be efficiently forged without it.
As other posters have pointed out, this means that if `P` is kept secret then all signed releases can be authoritatively linked to the people who provided them. Finding `P` on someone's thumb drive is a smoking gun. To be honest, I don't think this would be a big worry, but I'm not in the scene and I don't know how the people in it think.