[llarsson]

That sounds shady. Thank you for the warning. How does one determine that?

Also not found on F-droid. Hard pass.

[sneak]

F-Droid has the same potential tampering issue: apps there are signed by the F-Droid key, not the developer’s key.

An F-Droid compromise could backdoor every app.

[ta1771]

Any history of this?

For anyone: Why don't they cross-sign with their key+dev key?

[folmar]

Because the builds are (generally) not reproducible

[sneak]

I think cross-signing implies adding a second signature (notarization) to an existing dev-signed build, not doing a rebuild.

Does apk support such a thing?

[ta1771]

Check out Bromite, they have an F-Droid repo that you can add to F-Droid!

Not affiliated with Bromite, just cycling accounts, can point toward my last one if anyone's concerned about this acct's greenness.

[donio]

You got my hopes up but Bromite doesn't support extensions according to their FAQ https://github.com/bromite/bromite/blob/master/FAQ.md

[ta1771]

My chosen threat model does not allow for significantly less security in exchange for extensions.

Also, they may very well take PRs for extension support (haven't looked through their Issues/roadmap), but, I'm sure it's not on the top of a security-first project's to-do list.