@ofek You’ll likely find Ideas for client side package provenance checks of interest.
While that initial post is derived from the PEP 752 and PEP 755 discussions, it covers enough topics that PEP 752 considers out of scope that it seemed better to give it its own thread.