Four words: Single point of failure. (Or is that six? Or ten? Yes, yes, that's right, twelve words. Let's try that again, shall we? ... ;)
Besides, I strongly believe that it already does this... IIRC apt-get does this to make sure that the packages weren't corrupted (or truncated) in transit. -Ian R. Bradley Tilley hath spoke: >Why can't apt-get be modified to check the md5sum of a package against an >official debian md5sum list before downloading and installing debs? This >seems much simpler and easier than signing debs.