That's the exact reason why package signing is decentralized in the Android ecosystem. All apps in the Play Store are signed by their developers.