> Almost all prominent Linux distributions use package signing to allow
> users and system administrators to verify the integrity of packages.
> Typically, package uploaders use a private GPG key to sign the package
> before it is pushed to the release server
That approach is not entirely typical -- Debian and presumably most or all of its derivatives use the second approach, where there's a checksum-based trust path to a central file that is signed.
This broadly reminds me of discussions in Debian about how to provide a trust path to packages. Some wanted to embed the signatures inside each package, while others preferred that a central list of packages in the distribution (and checksums) be signed, and some preferred both. There were plusses and minuses to both approaches (for example, if packages are individually signed by their uploaders, how to handle key revocation? if packages are centrally signed, how to handle the checksum path becoming cryptographically broken?), and implementing both methods and deciding between them took time in which there remained little strong security.
Of course, that was many years ago, and I can't remember anyone doing quite the ostrich imitation described in this article.