Yes. Proper package manager usually proceeds to install only signed packages. It means that usually OS maintainer has verified the purpose of the package.

It gives a quite lot more trust than running arbitrary content as shell script, without any third party verification.

Until you want to use software that it doesn't have, and then you are adding third-party repositories.

Which is still just code from the internet.

Verified using a public key that you acquire over HTTPS, the exact same channel that you trust with curl | sh

From above:

> , without any third party verification.

Certificate provider does not verify packages nor anything what is coming from there. Server even might be just proxy.

The exact same problem exists with the channel that you acquire the public key you trust from. You’re still fundamentally trusting HTTPS to the package provider - you’re just trusting it at a different point.

Usually keyring is separate package which is also signed with a key which can be verified from multiple different sources.

Of course, if you are a target of nation state attack, which fakes public keys from all sources by MITMn DNSs and servers, you might end up with the wrong package.

But that threat model is totally different.