I would like to know what are the best practices for app verification before initial installation. My understanding is that GrapheneOS pins the app certificate at initial installation (TOFU trust model). This means that the source of the app doesn't really matter as long as the initial installation was honest.
So how can you verify an app? I think the best way would be to use apksigner and print out the certificate hash. With the hash of the certificate you can then compare on the internet with trusted sources. For example, if I verify the Signal apk, I might find the official Reddit forum with a lot of upvotes, the official site itself, and so on and so forth. More independent, trusted sources are better!
Is this the best way to verify apks before sideloading?