@alex True, people should verify the code instead, but virtually nobody does that, as proven by backdoors which got discovered after deployment like Jia Tan's on xz-utils.
Or how some tools don't allow to verify first, like pip always runs setup.py: https://github.com/pypa/pip/issues/1884

Typically because there is just too much code that one has to run on their machines, so we need to be able to delegate some trust (Be it via signatures on commits, tags or tarballs. Or to a distro).

---

I doubt GoToSocial does JSON-LD Signatures as it's a royal pain to deal with (mostly due to having to canonicalize JSON) and most of the Fediverse doesn't uses them.

It's more likely that GoToSocial's HTTP Signature verification is somewhat broken.