As there is no proper way for f-droid users to establish the root of trust that would be required to verify the apps they install from f-droid are legit I would like to propose some improvements that might help mitigate.
Firstly every app on the site should have SHA256 checksum along with it’s pgp signature in it’s description dialogue.
Secondly f-droid app should be hardcoded to self check its own package signature and calculate its own apk checksums and display them in its own ‘about’ dialogue so users can compare that with those on the f-droid website and with results from their own checksum calculator.
Thirdly f-droid app should display those same package signature and checksum results for each app it downloaded and installed so the user can compare with f-droid website and their own checksum calculator.
Bottom line. If f-droid app’s own built in dialogue calculates the same package sigs and checksums as the f-droid website and the checksums also match the users own third party checksum calculator there can be only one conclusion. The installed apps are the same as those that were built by f-droid.