No, the signature acts like a security feature, you can get the APK from apkpure/apkmonk/apkmirror/fdroid and if it matches you are safe. (as far as I understand, barring if they found another way to inject malware, eg. https://f-droid.org/en/2017/12/13/fdroid-and-janus.html )
Thanks. One thing I’ve learned with age, don’t shy away from asking questions. Thanks again,
Ok, thanks. So the chance of receiving a compromised apk through the janus exploit or similar is maybe not completely 0%, but really low.
My main concern is solved and I can re-enable auto-updates and allow updates from whatever store.
That might depend: https://f-droid.org/en/2017/12/13/fdroid-and-janus.html
I, for one, would not go and “allow updates from whatever store”
I actually meant either Google Play or F-Droid. These are pretty safe I think, certainly for apps which are available in both stores.
I have Tor Browser for Android (Alpha) 60.4.0 downloaded from F-Droid. I can update it to 60.5.0 from the Play Store. [I assume they have the same signatures.(?) I have “Include incompatible versions” off. I’m guessing this app falls under the exception, like the Guardian Project apps.] I don’t like to assume. I’ll wait for F-Droid to catch up.
Tor Browser for Android is hosted on Guardian but it’s directly from TorProject, and yes it’s the same APK.
Ahhh. Thanks for the info.