Package signing of any kind was ruled out in 2013 for nonsensical reasons https://github.com/npm/npm/pull/4016

Time to revisit, clearly.

	▲	tmpfs 2 days ago \| parent [-]
		Agreed, more than time to revisit. I have stopped using npm entirely because of their cavalier attitude to security. Code signing could and should have been implemented years ago. It's not a panacea but just part of defense in depth. I can't trust npm whatsoever to do the right thing at this point.

[dead]