As for RPM or Debian packages, the packager could sign the archive.zip file inside install.jar, using the vainstall.archive.signwithkey key.
