A business or government can (should) separately package, review, and audit code without involving upstream developers or maintainers at all.

This option is available already in the form of closed-source proprietary software.

If someone wants a package manager where all projects mandate verifiable ID that's fine, but I don't see that getting many contributors. And I also don't see that stopping people using fraudulent IDs.

Do you know who inspected a bridge before you drive over it?