First: Even then it wouldn't solve the fundamental security problems of custom roms. Not only the ZIP is signed with publicly known keys: http://wiki.rootzwiki.com/Signing#Shared_Keys
Second: If you automate it, you are again one checkbox away from disaster. You can already achieve something like that if you flash back the OEM stock recovery and just boot/flash to a custom recovery when really needed.
Custom Rom scene doesn't even manage to correctly sign their ZIPs, so not even signature verification against itself is enforced by default in custom recoveries: http://wiki.rootzwiki.com/Signing#ZIPs
Third: The other problems with custom recoveries is that they are usually already too powerful. Allowing adb root (tho CWMR does at least check for authorized adb_keys), allowing full backups, TWRP coming with a file manager, full busybox environments, etc.
That's why CyanogenMod went a different route for their OEMs devices/Installer builds and made a new simple recovery (sr), which just allows updates which are signed with CM's private keys and wipes: https://github.com/CyanogenMod/android_bootable_recovery-cm http://review.cyanogenmod.org/#/c/64135/
TWRP also tried an OEM-friendly version, but didn't investigate further: https://gerrit.omnirom.org/#/c/6631/ At least that commit doesn't mention signature enforcing.
Re: Up to ROM devs and app developers now
Even then it wouldn't solve the fundamental security problems of custom roms. Not only the ZIP is signed with publicly known keys:
http://wiki.rootzwiki.com/Signing#Shared_Keys
Second:
If you automate it, you are again one checkbox away from disaster.
You can already achieve something like that if you flash back the OEM stock recovery and just boot/flash to a custom recovery when really needed.
Custom Rom scene doesn't even manage to correctly sign their ZIPs, so not even signature verification against itself is enforced by default in custom recoveries:
http://wiki.rootzwiki.com/Signing#ZIPs
Third:
The other problems with custom recoveries is that they are usually already too powerful. Allowing adb root (tho CWMR does at least check for authorized adb_keys), allowing full backups, TWRP coming with a file manager, full busybox environments, etc.
That's why CyanogenMod went a different route for their OEMs devices/Installer builds and made a new simple recovery (sr), which just allows updates which are signed with CM's private keys and wipes:
https://github.com/CyanogenMod/android_bootable_recovery-cm
http://review.cyanogenmod.org/#/c/64135/
TWRP also tried an OEM-friendly version, but didn't investigate further:
https://gerrit.omnirom.org/#/c/6631/
At least that commit doesn't mention signature enforcing.