The initial install code would need to be verified for authenticity and the only way to accomplish that is to have the core developer sign the code personally or have a neutral third-party like the Bitcoin Foundation sign downloadable code with their certificate as a registered developer.