>>3
It has hash sums, but not cryptographic sigs like PGP. I wasn't aware of any package manager that uses signed packages... seems kind of contrary to openness, to me. A hash sum is basically an anonymous signature, anyways, since a signature is just an asymmetrically encrypted hash sum.