I don’t really understand how do you came to the conclusion that a particular type of signature would imply the need for manual checking, especially when you are talking about GPG, the de facto standard for securing software distribution in the Linux world. The only option I see is to attribute this to a lack of understanding to the issue of securing software distribution in general, which is well covered with countless resources freely available on the web, so I will left that part open and directly jump to the how-to.
Inside Sailfish IDE, package signing may be enabled with Projects → Build → Sailfish SDK Settings → Sign packages. The initial setting can be changed globally under Options → Sailfish OS → General → RPM Signing with GnuPG.
With sfdk, the CLI tool, package signing may be enabled with the --sign
switch to either the build
or package
command. Check the “SIGNING PACKAGES” section of sfdk --help-building
to learn how to choose the signing identity.
As a side note on signature verification on Sailfish OS side, trusted keys may be imported with the standard rpmkeys
command. It is on the roadmap to enable RPM key management from the Settings application.