[bane]

Well, your signing of the package would just be a signature to Google that it was indeed you who uploaded it. Google would then sign the new packages as themselves and the Play store could only download and install Google signed packages.

[RyanZAG]

Android package security (who can send intents to who) is based off of signatures and it's not really possible or desirable to change that.

However, a build script to handle it all for you during upload would be a great way to solve it.

The API for this seems to lack the features that you would need though [1]. It doesn't appear to let you upload apps for only certain devices - unless you would specify it in the manifest of the app somehow?

Also amusing - the API says "Do not supply a request body with this method", yet obviously you'd have to supply a request body - the app itself! I have a feeling this is not a well-used API.

[1] https://developers.google.com/android-publisher/api-ref/edit...

[creshal]

> Also amusing - the API says "Do not supply a request body with this method", yet obviously you'd have to supply a request body - the app itself! I have a feeling this is not a well-used API.

Or Google just doesn't give a fuck. There's various bugs with uploading expansion files that are documented from day one and still unfixed.