Sure, but how do you know the APK is the repository's source code? I can sign a malicious APK, and the signature will still be valid.