What is the list of popular Android ROMs whose releases are cryptographically signed?
Today I learned that LineageOS (arguably the most-popular open-source Android ROM) does not cryptographically sign their releases with PGP. As such, they do not provide a safe way for users to download and install copies of LineageOS.
There is an issue open to fix this, but it’s been unanswered for months
Generally speaking, the Android open-source ecosystem is a security nightmare: most ROMs will point you to download a
.zip on some (often third party) web server with no crypographic signature — so LineageOS is not an exception here.
So what ROMs are available to the Android user that cares about their security? Which ROM developers care enough to sign their releases with GPG?