It's called apt. Or dnf. Or most any package manager. Having a gigantic general list runs into the problem of how do you update it and how do you verify the updates?
You use GPG and trust the people publishing things, who sign the artifact that you actually download. Which is internally how every package manager I've seen works internally, anyways.
We haven’t been able to trust public pgp keyservers for a decade or more (possibly never, really).
So now we’re back at having to trust where-ever we get the proof from, whether that’s the file hash, or the public key.
(Which, as you say, is what package managers provide, and if you don’t trust your system’s apt/yum/pacman/whatever, then you have a bigger problem that trusting any random install shell script)
