As far as I know, nobody can ensure that the apk 's from aapks are ‘untouched’
you actually can, the infrastructure is there to verify a package before or after install. I’ll give a (lengthy) walkthrough as I was curious myself. If you’re familiar with PGP or the Web PKI you’ll identify the problem is that there is no directory of publishers public keys.