I think this makes great sense. We have SRI for Javascript, MS Authenticode for Windows.
There have been a lot of supply chain attacks on for instance NPM and RubyGems.
The only thing that worries me is that there would be a barrier for people to get their plugin or theme component “accepted”, like how Microsoft Smartscreen prevents users from running less known software from single developers.