> If I am downloading a package from a trustworthy site - "certified" by a
> legal entity - I should be doing good, right.
Jambunathan,
The existing problem statement is that while we (presumably) trust the GNU Emacs code, we do not per se trust the other packages in existence. How do we know those packages are what the original authors created? It is not the best idea from a security standpoint to download arbitrary code from the emacs wiki and execute it!
The ELPA infrastructure now allows pulling extensions from multiple non-GNU repositories. I certainly hope no one hacks them! If someone does, then a certification mechanism would assist the user in telling them that something's gone very wrong. So a signing mechanism allows the distributor to certify his/her code as being written by his/ger, and you to verify that the distributor certified their code. Whether the code itself is any good is a different question, of course - a malicious distributor that everyone trusts is a big problem!