a signature with an ephemeral key is meaningless. the apps should be starting out with a thing to show ALL of the required/optional permissions and bam, done. this is partly an issue related to the permissions system. android even has this, where you have to permit like 4 different things on first startup. the signers could improve on this by allowing batch pre-authorizing these actions, you can exclude the ones you don't want (the signer should explain the implications) and never be asked again until the app is upgraded and needs new permissions.