Sure, signatures are ideal. The problem for distribution maintainers, I guess, is that really they can't sign off on things; only the actual package developers can. Further, you'd wind up providing a key distribution service which may rapidly become more complex than the software packaging itself.

Given the above, perhaps all distribution maintainers can realistically do is say "it hasn't changed since I first saw it" which is what happens when they provide multiple checksums of a file, which is probably lower CPU and software library overhead than performing a cryptographic signature check.