there apparently can be apps on the store with broken signatures.
the one I saw this with is
https://apps.nextcloud.com/apps/secsignid
apparently there is a whole bunch of files in the signature which arent in the actual download of the app (development stuff like gitignore for example)
shouldnt the store check the signatures before publishing them?