There can be a repository of signed hashes of apps, by someone doing a reproducible build. And this can be verified before installing the app.
Login to reply
Replies (2)
AppVerifier does something similar: https://github.com/soupslurpr/AppVerifier
Android is Trust On First Use (TOFU). Obtanium allows you to share to AppVerifier on first install to verify it. From then on you dont have to worry as it'll only update if the signature is the same. Word of warning, AppVerifier only contains a small amount of signatures stored in itsinternally db [1]. Often a dev will include their signature on github and then you can paste that in to AppVerifier to double check.
[1]
https://github.com/soupslurpr/AppVerifier/blob/main/app/src/main/kotlin/dev/soupslurpr/appverifier/InternalVerificationInfoDatabase.kt