@niko4u @jak2k

F-Droid attempts to do repository metadata signing but both the approach they take and implementation is quite flawed.

Transport security via HTTPS using WebPKI doesn't only trust their server. It also trusts every CA and sub-CA without a way to monitor abuse since unlike a browser there isn't enforced Certificate Transparency. We pin root keys and backup keys for our services in our apps but of course it's not what's relied on for verifying App Store repository metadata.