I just read #75, which seems to suggest that binary cache 'packages' can be signed... however, this does not seem to cover packages that are installed from source. The Nix packages do seem to have hashes of external downloads, but those wouldn't be useful for verification unless the .nix file itself were signed somehow.

How would one publish a Nix expression(?) that can be cryptographically verified to be unmodified?