Android's package manager verifies app signatures and uses versionCode to provide downgrade protection. The signing key for each installed app is pinned and can only be changed via an authorized rotation.
source.android.com/security/apksi
This enables having a decentralized trust model.
Conversation
Historically, Google's Play Store used a decentralized trust model of shipping apps signed by the developers.
In an OS with Google apps and services integrated, the Play Store is granted the ability to do background app installs / uninstalls but cannot bypass the signing checks.
1
10
Google has been moving away from this to an approach matching Apple. Developer keys will only be used to verify uploads of bundles used to generate packages signed by the app store.
Amazon and the official F-Droid repository also centralize trust, just without the optimizations.
6
1
12
Replying to
F-Droid only does this when the app is not reproducible. They don't want to ship unverified binaries to users, so they build apps themselves. If the build matches the submitted binary, the developer's original binary and signature is shipped.
2
Replying to
F-Droid ships releases signed with their own keys even for apps with reproducible builds. That's the excuse that's given but it's not what they actually do in practice. Their builds of apps have also had serious issues not present in developer builds such as using legacy tools.