Comment by EMIRELADERO
21 days ago
Holy shit, going to the official page[1], there's something that is somehow even worse than the loss of freedom:
"You'll need to prove you own your apps by providing your app package name and app signing keys."
That is capital-I Insane.
This is confusing, since signing something already proves that you own the key.
they've been demanding signing keys for apps distributed on the play store for years.
The only credible explanation I can come up with is that they need the keys in order to produce indistinguishably backdoored versions of applications, handy for tools like signal.
Otherwise one would never think of requesting the private keys-- if google wants to rebuild apps themselves they could sign with their own keys and possessing anyone elses private key is just pure liability as if there is any discovered abuse they can't show that they weren't the vector.
So sketchy!
My assumption is they want to eliminate/prevent schemes where a ton of apps are signed as a service by a small number of centrally controlled keys.
Someone elsewhere in the thread said this is how F-Droid works, but I can't confirm firsthand.
The signing certificate should indicate who is signing, and therefore who is liable. But maybe that’s not how they set it up previously.