The Real Problem is a Bit More Complicated
The Pypi repository has supported author GPG package signatures for years. Pip however doesn't automatically check them. You can supposedly do this via Debian uscan, but I haven't tried that so I can't say how easy that is to do.
Signatures however don't solve the problem being described here. If the package was signed by the author, all that tells you that the package hasn't been altered on the server after it was uploaded by the author. If you can't trust the author, the signature doesn't help you at all. You get exactly the same issue with Github, Cpan, or any other public repository of source code or binaries.
The real problem is that adding signature checking does nothing to address the actual root cause. The actual problem is verifying that what you told the package manager is what you thought you really meant. If you meant to install package 'x' but told Pip to install package 'y', then Pip can only go by what you said. In a repo of developer tools and libraries, there are legitimate reasons for having some very dangerous tools in the toolbox.
The real solution for most people is to install from their Linux distro's repo, rather than directly from Pypi (or any open repo). Thinking about these sorts of problems is exactly what the people at distros are there for. They go out and get the packages they think should be in their distro repos, rather than letting just anybody upload whatever they want. Stuff gets added to the repos when there is genuine demand for it. If you are running Debian and want Django, get it from the Debian distro and you will get a version that is vetted, has automatic security notifications and updates, and you will get a version which has been integrated and tested to work with the rest of the system.
If you really need to get something directly from Pypi (because for example it's a more obscure package which is not in Debian's repos), then check out what you're asking for rather than just browsing around and picking a name that looks close. You can download a package and install it later from a local copy if you're really worried about poor typing skills.
Biting the hand that feeds IT
