If you have code that otherwise works, I wouldn't worry about it. The flat package installer format isn't going anywhere any time soon. If you're writing new code - It's not a great solution, but you could run "pkgutil --check-signature Some.pkg", and parse the output.

Thanks for answering. I did in fact end up blocking signals.