That would probably be doable using a PGP-style trust system. Don't know if it'd add much security in practise though, since the "trust these declarations of trust" decision would most likely be automated.
You still have to decide who to trust, but having a collection of many independent parties verifying a package can be a useful signal even if you don't have anyone directly in your trust chain. It makes it a lot harder for rogue releases to go unnoticed.