Package signing is relatively useless. All it tells you is that a given person signed a binary, but it does nothing to tell you whether the contents of that binary match the source code (and currently, no such tooling exists to perform this verification.)
Nix and Guix on the other hand, are primarily source code based. Packages are given an identity which is a secure hash of their source code and complete build instructions. This makes it infeasible to make any modifications to the source code, as intentionally malicious modifications would result in a different hash, and source code changes are detectable in commit logs.
While binary versions of these packages are available via Hydra, one can always use the source code versions if they're worried about security. Long term goals for Nix and Guix are to have completely reproducible binary packages, whereby we can assert that given a package definition, the resulting binaries will be bit identical when compiled from different machines. Instead of relying on a hash of the source code, we'll have a hash of binaries matching a package definition.
And when we get to this stage, we can completely stop worrying about who packaged a piece of software, because the result should be the same regardless. Instead, we can start looking at an alternative model of distribution where several independant parties, chosen by the user, reach a consensus on the binary hash which corresponds to a given package definition, and have that package retreivable through a distributed network (a DHT).
