I don’t really understand how do you came to the conclusion that a particular type of signature would imply the need for manual checking, especially when you are talking about GPG, the de facto standard for securing software distribution in the Linux world. The only option I see is to attribute this to a lack of understanding to the issue of securing software distribution in general, which is well covered with countless resources freely available on the web, so I will left that part open and directly jump to the how-to.
Inside Sailfish IDE, package signing may be enabled with Projects → Build → Sailfish SDK Settings → Sign packages. The initial setting can be changed globally under Options → Sailfish OS → General → RPM Signing with GnuPG.
With sfdk, the CLI tool, package signing may be enabled with the
--sign switch to either the
package command. Check the “SIGNING PACKAGES” section of
sfdk --help-building to learn how to choose the signing identity.
As a side note on signature verification on Sailfish OS side, trusted keys may be imported with the standard
rpmkeys command. It is on the roadmap to enable RPM key management from the Settings application.