APK Signing

What is this about?

• Due to uproar, they wanted to introduce a seperate flow for "advanced users" that allows them to bypass the checks.
  No information like how it works (and might piss people off) or when it's going to get released has been announced.
  HOWEVER: This does not mean they dropped the subject.


• Google wants to introduce the need for sideloaded APKs to recieve a trusted signature by September 2026.
• What this means for developers: You will need to pay a fee, submit your ID, provide proof of your private key, etc...
• What this means for users: You will no longer be able to install software from Git Repositories/Websites and platforms like Obtainium, F-Droid or Aurora Store.

My letter to Google

Please forgive me for any swear words I use here, I'm already fed up enough with
closed-circles like DOCSIS, PSD2, Widevine and HDCP that essentially make it
impossible to develop open source software - as an open source developer and I
essentially use almost only open source software.
I also made the choice to work at a company that deals with the development,
support and hosting for open source software. I believe in the fact that open
source is a better way to go. Open source means freedom and that is being killed
by having to sign every binary.
You cannot install OpenWRT on your Cable Router because you need to sign the
firmware.
You cannot run a local multibanking app using PSD2 (that does not rely on a 
proxy) because you need to get a certificate and embedding the private key in
all built apps is a no go.

You cannot watch Widevine L1 """protected""" content on operating systems like
Linux because there really exists no drivers, etc... - and then the Widevine
L3 module is also proprietary.

You already fuck over your users enough with existing restrictions like
Widevine and the Integrity API. Security through obscurity is not the way to go.
For example, people would stop pirating if the platforms stop using DRM and
provide a better service, they won't feel the need anymore! Forget watching
anything but 720p on Streaming services on anything but Windows or MacOS. I use
Linux since my childhood so I was wondering why the streaming quality on sites
always looked so shitty, despite us paying 4k UHD subscriptions. Back then I was
naive but now I know what this bullshit boils down to. Stubborrness from the
industry and thinking they can control what the users do, just to try and keep
away a dozen of hackers that will outsmart you anyways! It just feels like the
industry is forcing you to pirate when you want to enjoy 4k UHD on Linux which
creates a moral dilemma! I want to support people who create their content
- this DRM shit basically only punishes their fans that want to pay!

People who really want to restrict their users whether or not they can install
APKs should do that using one of the many MDMs on the market. The many warnings
you get when installing an APK should suffice already. This is only going to
frustrate users, like with the already existing and broken DRM mentioned above.
(It will always be broken.)

The Integrity API already makes it harder to run alternative open source
operating systems and use stuff like Banking apps on them (The problem with PSD2
being a closed-circle with no option for open source apps is another story
though.)
And now this? Are you being absolutely serious? Apple - okay, they're kinda
being forced to - is slowly opening up their mobile OS and you are going
actively into the other direction? You know, I always bought an Android over an
Apple-Device because I thought "Hey, this platform is pretty open, it's easier
to develop, test and distribute software for it", but I guess I am being proven
wrong. Corporate greed and stubbornness just destroys everything good we have on
this world. This is a great way to create a monopoly so you have full control
over everything. However, I feel like there are going to be many lawsuits if
these changes pass. I also always bought Google Pixel phones (despite then
installing alternative open source operating systems) just because software
support and operating system support was great. That changed too though, with
you all now deciding to no longer release your device trees. Why? It literally
makes no difference except making the lifes of people that develop custom ROMs
easier.

Proprietary software is not the way to go. The xz backdoor had a massively
higher chance to get discovered because it was all developed out in the open.
This cannot be said or verified about proprietary software. The users are forced
to trust the company that they have not inserted a backdoor or been paid by a
government or accidentially hired a spy.

Also, this only feels like you want to restrict people from watching YouTube
without Ads, lol! Stop wasting your money on bullshit like this and focus on
improving the platform. Maybe then people will be okay with watching one short
Ad. This - and other forms of DRM - are a cat and mice chase. You will never
truely win and fuck over your customers - people might just stop buying Android
phones then. Grow up.