An interesting thing for an open source project might be to put code-signing keys (for a reviewer) out with pseudonymous people on the Internet -- real identities unknown to the developers.
I'd be happy to only use releases of 1Password which were signed by both AgileBits and a few nyms with a long history of being awesome (e.g. Satoshi).
If the NSA had a long history of auditing and signing good code, in addition to an unmolested and identifiable developer, and combination of known and unknown nyms who also could attest to the security of the specific code I'm running, I'd be quite happy with their incremental approval.
I'd be happy to only use releases of 1Password which were signed by both AgileBits and a few nyms with a long history of being awesome (e.g. Satoshi).