Android's package manager verifies app signatures and uses versionCode to provide downgrade protection. The signing key for each installed app is pinned and can only be changed via an authorized rotation.
source.android.com/security/apksi
This enables having a decentralized trust model.
Conversation
Historically, Google's Play Store used a decentralized trust model of shipping apps signed by the developers.
In an OS with Google apps and services integrated, the Play Store is granted the ability to do background app installs / uninstalls but cannot bypass the signing checks.
1
10
Google has been moving away from this to an approach matching Apple. Developer keys will only be used to verify uploads of bundles used to generate packages signed by the app store.
Amazon and the official F-Droid repository also centralize trust, just without the optimizations.
6
1
12
Replying to
In theory, but that's not what they do for most of the apps where reproducible builds are possible. It also depends on F-Droid keeping up with the development and signing tools used by real world apps. Since it took 5 years to support v2+ signatures, that clearly isn't viable.
1
If F-Droid is going to be building apps with broken and out-of-date tooling, that's a problem, and it's on F-Droid on they can't reproduce builds rather than the apps. Apps should be adopting the modern development tools and security features, not falling years behind on it.
1
Once something goes wrong, likely due to an issue on F-Droid's side of things, then users stop getting updates to the app via F-Droid.
F-Droid already has major issues with shipping updates promptly without a whole new major source of problems blocking users getting updates.
Nearly all apps in the official F-Droid repository are signed with F-Droid keys, not the developer keys.
Pretty much need to start over with a new repository if it's the intended overall approach. It's also a problem they used the official app ids for builds with their keys.