RE: chaos.social/@gsuberland/11668

Java solves this by virtue of Maven Central requiring you to have a working GPG signing setup, a hurdle much too big for even a malware author to bother with.