Tomáš has an interesting article on trusting APKs from third-party mirrors.

Since Google is the gatekeeper of the APK trust chain, it’s not easy to independently verify APKs; Google doesn’t even give you the package signatures. The article shows a nifty method for extracting them by (ab)using the εxodus privacy audit project.

Do you know of a better way?