Reasonable validation of a software package

[Anonymous User]

Fellow cpunks:

I am working on various software packages for UNIX and
Windows and since this is commercial work and prior NDA's
are involved, I can't include the source code for
absolute validation.

What would assure one that a package has not been tampered
with from the company to the user?

(Currently, I am using PKZIP's rather anemic AV protection,
as well as signing the archive with my PGP key.  I am 
wondering if there are any other steps I need to take to
assure that a package came from me, and wasn't 
damaged/altered/tampered with in transit.)

Thanks in advance.