[guardian-dev] Google's new App Signing service

Hans-Christoph Steiner hans at guardianproject.info
Thu May 18 04:29:06 EDT 2017

Lol, so it turns out that F-Droid was a pioneer and innovator, years
ahead of Google ;-)

Looks like a play to give Google more info on releases, since all
releases must go through them.  It would also encourage developers to
use Google as the gatekeeper for app releases.  I guess this could also
be some kind key backup.

Anyone see anything about their motivations for doing this?  I wonder
how much data they have on signing keys getting stolen and abused.


Nathan of Guardian:
> Just logged into Play and found this:
> https://support.google.com/googleplay/android-developer/answer/7384423
> "Google Play
> Google Play App Signing Terms of Service
> Effective as of May 17th 2017
> By enrolling Your application (“app”) in Google Play App Signing (GPAS)
> service, You consent to be bound by these terms, in addition to the
> existing Google Play Developer Distribution Agreement (“DDA”) and Google
> Play Developer Program Policies (collectively, the “Agreement”). If
> there is a conflict between these terms and the Agreement, these terms
> govern use of Your app in GPAS. Capitalized terms used below, but not
> defined below, have the meaning ascribed to them under the Agreement.
> 1. Key Generation and Storage
> 1.1. GPAS is an optional service that provides a secure means of
> handling Your app signing key.
> 1.2. By enrolling Your existing app in GPAS, You agree to give Your
> existing app’s signing key to Google and to secure or delete Your
> copy(ies) of the key. For new apps, Google will generate a new app
> signing key for Your app.
> 1.3. You will have the ability to download and review any APKs you
> publish that are signed by Google.
> 2. Automated App Optimizations
> 2.1. By enrolling Your app in GPAS, in addition to the license granted
> in 5.1 of the DDA, You grant Google a license to modify Your app APKs to
> optimize their performance, security and/or size, for the life of the
> app. The modifications, and the timing of which, will be made at
> Google’s sole discretion.
> 2.2. For the avoidance of doubt, services provided in GPAS are not
> intended to change the purpose of Your app.
> 3. Permanent Enrollment
> 3.1. It will not be possible to retrieve Your app signing key once it is
> provided to or generated by Google.
> 3.2. You can unpublish Your app and publish a new app with a new package
> name, without opting into GPAS, at any time.
> 4. Optional App Optimizations
> 4.1. Google may offer You app optimizations, separate from the automated
> ones referenced in Section 2, that You may choose to apply to Your apps
> enrolled in GPAS.
> 4.2. You are not required to accept any of these optional app
> optimizations.
> 4.3. If You choose to apply an optional app optimization, You can
> opt-out of any you choose at any time.
> 5. Changes to the Agreement
> 5.1. Google may make changes to these terms at any time by sending You
> reasonable notice describing the modifications made. Google also will
> post a notification on the Google Play Console describing the
> modifications made. They will become effective, and will be deemed
> accepted by You, (a) immediately for those who opt-in to GPAS after the
> notification is provided, or (b) for pre-existing GPAS users, on the
> date specified in the notice. If You do not agree with the modifications
> to the Terms, You must withdraw from GPAS, subject to Section 3, which
> will be Your sole and exclusive remedy. You agree that Your failure to
> withdraw constitutes Your agreement to the modified terms.
> © Google  Privacy & Terms  Help"

PGP fingerprint: EE66 20C7 136B 0D2C 456C  0A4D E9E2 8DEA 00AA 5556

More information about the guardian-dev mailing list