As per distros installation is normally accepted that the packaged are signed. Therefore also HA should have its own trusted users list which would have to depose their key for verification.
I’m a bit concerned about certain packages which might use malicious scripts to break into somebody house 