Comment by veeti

To be clear it sounds like the upcoming "Android Developer Console" (distributing APK outside Play Store) https://developer.android.com/developer-verification/guides/...) does *not* require you to disclose your private key, only prove ownership:

> Select your key: Choose your public SHA-256 fingerprint certificate from a list of eligible keys.

> Complete a cryptographic challenge: You must sign a dummy APK with the corresponding private key and upload it to Android Developer Console. This formally verifies your ownership of the key used to sign your existing Android app.

Play Store on the other hand does require you to share keys, so they can optimize your APK for each device. And maybe inject some state malware if you want to be snarky.