@lkundrak I help maintain a bunch of Fedora packages and I don't even know how to set up sig verification for source files. Whatever I download on my workstation is what gets hashed and blessed as the real source.
But honestly, most projects these days don't even sign releases, they just host directly from GitHub tags or what have you. The assumption is that GitHub itself is secure enough and people know how to keep their repos secure (or if they get directly compromised, people will notice quickly). I do at least sign my tags on Git, but literally nobody checks that and I've had other contributors push release tags without a sig before and nobody cared.
Given the rather few stories of outright infra compromises leading to actual downstream compromise, and the most recent Jia Tan social engineering episode (which *gasp* even had tarball signatures, and in fact was *aided* by out-of-band tar releases not being directly sourced from GitHub!), I think we're doing okay on infra and we should be a lot more worried about social engineering and hidden backdoors than that.
(Oh yeah, and the part where the Intel employee responsible for maintaining a certain Linux driver deliberately introduced a security bug because he was lazy and admitted so in a comment and the commit message, and nobody cared, and I just found out 3 years later... yeah, we really have much bigger things to worry about than package signatures, seriously)