Stanley | F-Droid - Free and Open Source Android App Repository is what you’re looking for: moreover, when parsing an apk file (=not installed), it allows you to detect all installed packages with same signature certificate (@xgouchet uses sha1 certificate instead sha256 algorithm as showed in F-Droid index-v1).
@Ildar com.oF2pks.applicationsinfo only works on (all) installed packages and doesn’t use any permissions storage; but twin ClassyShark3xodus does and uses same file access as Stanley.
I now have a working version with signatures, shasum256 & manifest checking on apk files through ClassyShark3xodus: moreover the app will allow understandable browsing of any *.xml file via regular file browsers : wip oF2pks / fdroid-classyshark3xodus / Downloads — Bitbucket