Tomáš has an interesting article on trusting APKs from third-party mirrors.
Since Google is the gatekeeper of the APK trust chain, it’s not easy to independently verify APKs; Google doesn’t even give you the package signatures. The article shows a nifty method for extracting them by (ab)using the εxodus privacy audit project.
Do you know of a better way?