I really like the idea of having a built-in method of verifying the integrity of a module. This could "easily" be done by using a PGP/GPG-style mechanism or simply a built-in method of checking an appended IDEA (crypto-)hash of the source code and/or any XS used by the module.

A really simple way would be to extend the __DATA__ mechanism to also include a __SIGNATURE__ section, which contains an (IDEA)(crypto-)hash of the source code, which can then be checked optionally by Perl against the code and (if available) against a local list of "trusted" keys. Of course, if that list of trusted keys is compromised, all security is down, but if that list can be compromised, bets are that everything else already has been as well.

So, as I see it, a two-fold protection mechanism would need to be in place. One, a public/private key system with CPAN as a central repository for the public keys, so that everybody can check the authenticity of their modules, and a second, global public/private key, owned by CPAN, to check the integrity of every module locally at any time.