Oddbean new post about login | logout Maybe? Are you thinking that when a new person verifies the app, the verification has to get interactively signed (with multisig) by other people? Or are you thinking co-signing with the store or some verification system paid for co-verifying?
With the likelihood of multiple secret key being compromised, a release has to get X number of signatures before considered verified by clients and thus downloadable. Whether the signatures are independent or m-of-n multi-sig is something to explore. In the case of paying for co-verifying I think it will have the wrong incentives if an invalid verification isn’t penalized somehow and the affected users reimbursed?