That's the whole problem. There's no way to verify the authenticity of a release aside from "getting it from a trusted source" or whatever, whereas digital signatures would easily solve this issue.