To complement your example, I have been enjoying obtainium. Code directly from the developer. If I could I would want an app store that I can manually enter developer's keys into or do an openssh style "do you want to save this key" on first download, then subsequent updates will validate signatures as they are released. If the developer changes their keys, it should be a manual process or lots of blinking read lights. I don't want to trust an app store, like the case for F-Droid. I understand why they do it, but I like the model of, hey get this package from it's owner.