I think my opinion about extension signatures got a little confused here "Owen Taylor's preferred plan involves two signatures: one from each reviewer, and a separate one from the site although he noted that the manual steps could constitute a weak spot." but if you read the mail that is linked to, you'll see that two-signature plan was just a thought experiment about ways we could use signatures that actually enhanced security beyond our current plans. And one that I didn't consider immediately practical.
The current security plans consist of: a) lock the code that does installation of extensions to extensions.gnome.org b) use https to maintain the integrity of the connection between the client and extensions.gnome.org c) have a thorough review process for extensions hosted on extensions.gnome.org d) take appropriate measures for the security of the web site and of the machine it's running on. We'll certainly be evaluating ways of making things better as we go along.