It would be nice if crates supported being signed with GPG or minisign or whatever.
I can imagine for example, importing keys from only the authors that I think I can trust, and passing a flag to cargo that only allows using those packages for cargo install or cargo add.
In this case I think just checking the top level crates signature (and not dependencies) would be enough to mitigate a lot of issues including typo squatting.
'cargo crev' makes this kind of workflow possible: https://github.com/crev-dev/cargo-crev