https://gitlab.com/fdroid/fdroiddata/-/issues/3110#note_1613430404

This led to them including a self-update system which was openly implemented and documented. F-Droid was unaware they'd shipped it for half a year, and by then WireGuard had essentially escaped from in their words being held hostage by F-Droid.

This was a rare case where an app used developer signing keys via their flawed reproducible builds system. Most don't.