I’m guessing what you’re suggesting is that Google’s proposal is the same as requiring all packages be signed and accompanied by an Extended Validation or Oragnisation Validation X.509 certificate.

While that would technically work, the problem with using the existing PKI is that it’s still very expensive to get EV/OV certificates. And the most common of these certs (those for TLS purposes) will soon only last 47 days which is, to put it mildly, would be a pain in the ass to use for package-signing.