I am thinking how many of the existing ELPA repositories will go to the
extent of getting a signature from a legal entity. Mostly they are
"wannabe-s" or individual efforts.
Unless I am entirely foolish, which is always possible, the idea of having a legal entity effective notarize the code is not the idea. The general idea is that the individual (or the package repository maintainer) would use GPG to sign their code (perhaps with bzr, git, hg, or directly with gpg), and this pub key would be available for the user to download, much like Launchpad does for the Debian infrastructure.
I am pretty sure that reliability is not the concern in this thread, but protecting against malicious behavior, since public/private key crypto is under consideration.
I am sure that if I am wrong in any of this, more learned and experienced emacs-devel members will instruct me.