Does it verify that packages are properly signed orndoes it blindly trust GitHub as a source?
Discussion
AFAIW it doesn't. But if you're using a googled android it will verify and warn you if the signer is not registered at play store. It would be amazing if Obtanium could verify them against a public key published somewhere besides github.
I agree it would be awesome having something like Obtainium that can verify signatures. Even if we had to manually enter the author's key in the app once, it would still retain the automatic update functionality.
And this is the reason why the #fdroid repo. model is always a better alternative. #obtainium is great, but just an escape hatch if your app is not on #fdroid
#aurorastore is last resort.
You can install the first package manually from Github. Afterwards you can upgrade with Obtainium trustless. Thats because Android wouldn't upgrade packages when signatures don't match.