Should i trust package manager's signatures? Let's see package managers and software signatures by the point of view of people of "dont trust verify" movement.