Package signing goes back much further than that--it was present in Potato and probably before that. Many (most?) "nonofficial" official repositories use gpg signing also, like Debian Multimedia, but this doesn't prevent anyone from downloading unsigned .debs and installing packages that way.

The n900 comes with a trusted keys keyring although I'm not sure what it's used for. Regardless, it's a matter of Nokia using security tools already available in .deb and .rpm package management, and not a package format problem.