My point was that there's no real merit to the complaint that Signal requires Play Services if you're going to use an OS with Play Services installed anyway. One can reasonably argue that Signal should work on non-Play Androids, but since his target audience is non-technical users, it seems likely that they are all using (and are more secure using!) off-the-shelf iOS or Android phones, which implies a significant reliance on your vendor anyway.
Do you have any pointers on how Play bypasses local signature verification? I'm surprised about that.
> it seems likely that they are all using (and are more secure using!) off-the-shelf iOS or Android phones
In what sense are they more secure using stock Android than CopperheadOS? They wouldn't be installing it themselves either way. It's a product available for purchase too... have you done any research into what it is before making claims about it?
> Do you have any pointers on how Play bypasses local signature verification? I'm surprised about that.
Play contains a bunch of privileged / platform signature apps. They don't follow the regular permission rules. An unprivileged app not signed with the platform key cannot do automatic upgrades and counts as an unknown source. The Play Store chooses to bypass the trust-on-first-use signature checks of the package manager too. Upgrading apps via F-Droid or manually will perform the signature checks, but the Play Store does not. Try installing an app from F-Droid on a phone with Play, and note how Play will happily clobber it with an update signed with a different key. On the other hand, F-Droid won't do that even if you sign it with the platform key as CopperheadOS does to mark it as a unknown party source.
Do you have any pointers on how Play bypasses local signature verification? I'm surprised about that.