[rahrahrah]

Ok, so I just want to be absolutely clear:

> They are signed by the same process as all other APK's on the store; using the play store developer keys that OWS received. Google can backdoor it because they control the distribution source and verification scheme.

If I verify the signature, I can determine whether or not the APK has been tampered with by Google, yes or no?

> It would be too easy to say "don't try to teach moxie how to do crypto" but this won't be interesting to either of us, I'm really curious what is your threat model that you would like additional signature specifically by OWS and what do you want them to sign.

Well, obviously I'm not trying to teach anyone crypto as I don't know enough myself to begin with. My threat model is don't trust anyone that has a bad track record. In my book Google has a bad track record but not moxie.