No. Malicious upstreams will have their software properly signed as theirs.