I actually don’t agree to that either. Signing the hash, perhaps but that’s getting into semantics. But signed debs… Well, see end-to-end signed debs. debsign, debsig and dpkg-sig. It’s about end-to-end signed packages (or hashes of these packages). Therefore shouldn’t be deleted from the criteria without replacement.