Verifying signing keys is one thing, but even better, f-droid.org can verify that the APK builds 100% from source, and that the APK f-droid.org builds matches the developer's official released APK:
https://f-droid.org/wiki/page/Deterministic,_Reproducible_Bu...
What would the OS check the signature against, though? The certs that come with the OS are for validating sites, not apps, so passing a check wouldn't tell you much. It seems that Android would have to add a whole new cert store (and mechanism for adding certs), not just a couple of lines.
That's not true at all. CA and leaf Certs have extensions and policies and can be used for any particular purposes. All the cert verification has to do is check for the code signing extension / policy.
You can use self-signed certificate to sign APKs. Once you publish the signed package, you have to use this same certificate for the package forever.
When updating, the system checks, whether the newer APK is signed by the same certificate and refuses update, if the certificate differs.
It simply does not matter, whether your cert is vetted by CA or not. So using PKI would not make sense there.
The rationale was not forcing the developers to purchase signing certificates in order to publish for the platform. It does not make difference anyway.
The rationale was that Google doesn't want a secure code signing mode as it would undermine their thesis that turning off the Google Play store is insecure.
At least even MacOS has a App Store + Identified Developers. Though of course, iOS doesn't have that..
> it would undermine their thesis that turning off the Google Play store is insecure.
I don't quite understand. How do you turn off the Play store?
It is necessary to make a distinction between what you want to believe and the reality. The reality is, that requiring validated keys would put the keys to the "official Android" kingdom into CA's hands. In addition, because Android is an open-source project, any alternative distribution would disable that. It would cause real fragmentation of the platform, where apps would run on one distribution and not on another, the difference would be only the signature. Google (correctly) decided, that they do not have to fight this fight.
A side note: getting CA verified can be problem in some parts of the world. What if you are Chinese? Crimean? You can still use Android as it is; you can't use any platform, that requires to be "Identified" by CA.