VideoLAN @videolan App Stores were a mistake. Currently, we cannot update VLC on Windows Store, and we cannot update VLC on Android Play Store, without reducing security or dropping a lot of users… For now, iOS App Store still allows us to ship for iOS9, but until when?
Pretty sure they’re signed by Microsoft instead? At least that’s what other app stores do.
It’s all a game of shifting the point of trust around. Personally, I’d trust most small time developers more than the likes of Microsoft and Google, however I’d trust Fdroid more than unknown developers (but still go direct to the developers I do trust).
The good ones are signed by the devs, otherwise there’s a risk of malicious modifications at upload or on the publishing infrastructure. This is how Maven works. All packages MUST be signed with PGP by the devs.
Apt isn’t signed by the devs but its signed by the package maintainers, whose job it is to verify the packages that they prepare (devs can’t upload software in Debian)