@cy8aer @fdroidorg @marcprux iirc grapheneos disagrees with fdroid's signature model (where all apps are signed by fdroid and builds aren't really reproducible), among other things. However, I don't think this is the case here. You may ping them and ask if you want.
Here is some insight of you wanna go down the rabbit hole: https://discuss.grapheneos.org/d/7519-f-droid-security/10
@Alonely0 @cy8aer @fdroidorg @marcprux Since you brought up the signature model, Google Play requires devs keep the signing keys with them, F-Droid just offers it as an option. F-Droid offers using only the upstream signature if the app is reproducible. https://f-droid.org/docs/Reproducible_Builds/#publishing-apks-with-the-upstream-developers-signature
Also, how the APK signing keys are managed has nothing to do with Android Developer Verification or Keep Android Open.
@eighthave @cy8aer @fdroidorg @marcprux all of this is orthogonal to the issue, it was just speculation about a tangential topic.