For your purposes, it seems quite acceptable to assume that the Android application has one signature. The Android APK can be compiled with several signatures, but it is not recommended or tested. (Why is Verizon doing this? Who knows.)
I found this archive from Dianne Hackborn , an Android development lady:
Q : I know that a subscriber subscriber supports multiple signatures in a single jar file. If the APK file has two valid signatures, does this mean that the APK can access the subscription level permission granted by both signers?
A. Theoretically, something is being done with several signatures, but no one has ever used this, so it probably doesn't work. It also has a side effect (if it does the job) of overlaying two signatures on the same thing, since they are supposedly from the same owner, which is most likely not what you want.
Another bit from Dianne (note the use of "it", not "they" and "certificate" instead of "certificates"):
Q : PackageInfo.signatures: What does it return?
A. This is the certificate that was used to sign the .apk.
But. It is noteworthy that I found a test link for several signatures in the Android Git source: Test for checking package signatures (error 4596332) . In addition, the Android BackupManagerService code (and other Android source code ) ensures that it checks for multiple signatures.
So, here is my conclusion: you donβt need to worry about a few signatures unless you are coding in a situation where security and compilation of certain packages are important. (However, it also seems that you would not have a big problem posting multiple signatures, if necessary.)
I hope this is at least somewhat satisfactory.