F-Droid will use your original signatures as long as they can rebuild the binary to be identical (excluding the signature), to verify that everything is open source. They only discard your signatures if they can't confirm that, to avoid issues with hosting proprietary bits.

https://f-droid.org/docs/Reproducible_Builds/

I run GrapheneOS. It's an amazing project, and I always pay attention to what their developers say.

But you should keep in mind that the GrapheneOS project is very laser-focused on a certain threat model: aggressively malicious software that tries to exploit vulnerabilities to escape its sandboxes. And they fight against that threat very well (there have been a couple of recent high-profile Android CVEs to which GrapheneOS users were immune).

But they are - rightfully - less concerned about the far more common threat of apps including crapload of tracking libraries, battery-burning ads, or dark patterns requesting unnecessary permissions. They provide you with tools to fight them - Storage Scopes and Contact Scopes are amazing! - but ultimately it's up to the user to e.g. choose a serious calculator app like Calculator++ instead of some spyware.

And against that threat, it is an excellent idea to search on F-Droid first instead of the Play Store (where the first non-Google, non-Samsung result is indeed an ad-filled spyware calculator). Then, if you want to secure yourself against the possibility of the F-Droid signing keys being compromised, you may choose to delay/disable automatic updates, or simply to download the Play Store version of the F-Droid-hosted apps.

> but F-Droid (if I recall correctly) re-signs all packages with its own key, removing the developer's signing key

The reason why they do that (in some cases) is exactly why F-Droid is more trustworthy than Google Play.