Verifying an OpenPGP detached signature would be more reliable for package maintainers though since they would quickly develop a history. It's the same rationale as web browser add-ons that alert you when the SSL cert for a site you visit _changes_ on the basis that it's far more likely bad guys will attempt a MitM attack somewhere between your 1st and Nth visit than before the 1st visit.
This seems like it's worth building into package building automation. "Download new source" should be "Download, verify as authentic and refuse to continue if not" for every package that provides detached signatures. This would require explicit intervention if the author (or rather signer) changes, but that is a significant event of which the maintainer certainly should be aware.