Comment by mh-
21 days ago
My assumption is they want to eliminate/prevent schemes where a ton of apps are signed as a service by a small number of centrally controlled keys.
Someone elsewhere in the thread said this is how F-Droid works, but I can't confirm firsthand.
The signing certificate should indicate who is signing, and therefore who is liable. But maybe that’s not how they set it up previously.