Hacker News new | past | comments | ask | show | jobs | submit login

> > The absolute nightmare is about giving Google the root signing key of your application

> It seems plausible the US government could send a NSL (or similar) to Google and force them to distribute modified APKs for apps like Signal

Since when do you have to hand over your signing keys to Google? I seem to remember the Signal devs saying that they preferred publishing their app on Google Play as opposed to F-Droid because in the former case they control the signing keys. Has this changed?






> Since when do you have to hand over your signing keys to Google?

Since it requires App Bundles, which is mandatory, as soon as you have Android TV support, for example.

https://android-developers.googleblog.com/2022/11/app-bundle...

See https://dev.to/npomepuy/vlc-for-android-updates-on-the-play-...

reply


Apologies / small correction:

Apps first published to the Play store before August 2021 are not required to upload their keys [1]. This likely includes Signal.

[1] https://developer.android.com/guide/app-bundle

reply


Unless they use Android TV, for example: See https://dev.to/npomepuy/vlc-for-android-updates-on-the-play-...

reply


Thanks. TIL.

reply


Just for completeness: For reproducable builds F-Droid can now distribute builds signed by the developer.

reply


This has been the case for a few years now, and you could always distribute whatever you wanted from your own repo.

reply




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: