Could CPAN/PAUSE maintainers not inject|update the signatures unilaterally with only PAUSE keys

I think this is a good idea all by itself, separate from whether the distro author "signs" it: it would provide a validation that the archive file being downloaded was exactly the same as the one originally placed on PAUSE. And it can be implemented right now, retroactively.