Off the top of my head, at the very least I would provide checksums of each app so the user can use online tools like this one Checksum Calculator Online - AppDevTools to check the integrity of apps especially the f-droid.apk file before they install it. I would then include in the f-droid app a dialogue that informs the user of the results of similar checks on each file downloaded by the f-droid app. Anyone could therefore compare what the f-droid app is telling them with the results from their own checksum calculators to ensure they can trust the app thereafter.
Anyone can easily checksum the f-droid apk for an md5 and a sha256 using that tool it took just a few seconds to calculate the ones below for the f-droid apk. That would be well enough for most people to establish that root of trust. This is nothing new. This is simple and straightforward stuff using principles that were established decades ago so why do the f-droid devs ignore that?
MD5:79b5ae70cb731e1f57c1672786fc7367
SHA256:49128b38ccf5cb2676435dba1c6143f78a4e33dcd8bbca91a529881c94528ab5