Release APKs are reproducible. You can verify that the APK you download matches the source code by building it yourself and comparing the output.
Use this SHA-256 signing certificate fingerprint to verify releases:
FD:29:86:45:7A:6A:6E:4D:D9:05:6B:3C:A5:A6:9E:0E:DF:D5:AA:9D:D4:5B:3D:78:DB:21:E8:AD:72:FB:AE:AD
