gpg sign all files published to the repo
fdroid gpgsign
should create a .asc signature file for each file that is published to a repo (except maybe icons). That means things like build logs #495 (closed), source tarballs, etc. This provides a strong guarantee that the files are not modified on the webserver, so we can trust the webservers even less.