handle APKs that have "frosting" in the APK Signing Block.
The frosting block in the APK signature can include a separate signature that is tied to the app store that distributed the APK. It is possible to take a valid APK and add "frosting" to it, and the APK Signature will still validate. So an APK with the exact same contents according to the APK Signature will have a different checksum when frosting is added. Should fdroidserver just treat them as different APKs? Or should it strip frosting, since it is basically the app store signature?
The frosting is currently used to prove that the APK was distributed by Google Play. Also, an interesting side note, if the frosting can be freely added and removed without affecting the APK Signature validity, then the frosting cannot prove that the APK came from Google Play since someone could take the base APK and copy in the frosting block.
Here's some code that works with frosting that @U039b pointed me to: https://bi-zone.medium.com/easter-egg-in-apk-files-what-is-frosting-f356aa9f4d1
@obfusk FYI https://github.com/obfusk/apksigcopier/issues/46