All the most used Linux distros use a PGP-based check before installing packages.
These distros are distributed with a keychain that contains keys for all the approved developers/uploaders. What you have to trust is the fact that the keychain you have is the real one, but that is easy to do. Once you trust your keychain you can install things securely: the private pairs are in hands of people that have been through processes similar to this http://www.debian.org/devel/join/newmaint .
What it comes down to is you have to trust someone, eventually. You've got to trust your distro and it's installed verion of GPG, or yo've got to trust your own compiled version of GPG, etc. Unless you're savvy enough to download the source code and confirm it's safe, you're stuck trusting someone.
It's sort of a chicken and the egg problem, PGP. A better web of trust would help resolve these issues (I'm probably not that many trusted steps from a Debian developer), but without a better web of trust, it's hard to build a web of trust, if that makes any sense.
And it seems no one does key signing parties any more...
These distros are distributed with a keychain that contains keys for all the approved developers/uploaders. What you have to trust is the fact that the keychain you have is the real one, but that is easy to do. Once you trust your keychain you can install things securely: the private pairs are in hands of people that have been through processes similar to this http://www.debian.org/devel/join/newmaint .