Package Signing Is Not the Holy Grail

Short lived tokens directly from your cloud provider? Ye, essentially it works for the copo cloud and a couple other things. People just say it's a little bit like the two f a stuff,. If you just sign your packages to prove they come from you, everything is going to be fine unless the person just goes rogue. There's issues with web of trust, like actually establishing o great, like, you'v signed this thing, but how do i establish that the person that signed it is actually a person that i trust? And thot tome one's provided me with a malicious public right?