I have no idea why you’re being down voted. The whole thing with flatpacks is that they come from a large number of individuals, maybe the author of the software, but often not from a central organization you can trust. That’s the fundamental difference to distro repos, who can just have a single anchor for trust.
Mindlessly signing something doesn’t increase security in any way. Then requiring it just means hassle to having to add keys to be trusted every time you want to install anything. Malicious actors can just create a key and sign the package as well. That’s the whole reason it isn’t required in the first place.
I have no idea why you’re being down voted. The whole thing with flatpacks is that they come from a large number of individuals, maybe the author of the software, but often not from a central organization you can trust. That’s the fundamental difference to distro repos, who can just have a single anchor for trust.
Mindlessly signing something doesn’t increase security in any way. Then requiring it just means hassle to having to add keys to be trusted every time you want to install anything. Malicious actors can just create a key and sign the package as well. That’s the whole reason it isn’t required in the first place.