Integrity checks say nothing about the package authenticity, though. State sponsored actors could just... change the hash on the listing in a hypothetical attack.