it looks like the user, metroplex is asking the devs to post the hashes associated to the app versions so a user can verify the hashes to the maintainers pgp/nostr keys using the application appverifier (I recommend).
maybe im missing something?
Discussion
there are package and certificate hashes on nostr:npub10r8xl2njyepcw2zwv3a6dyufj4e4ajx86hz6v4ehu4gnpupxxp7stjt2p8, but im not sure who is pushing the packages there.