[securitypunk]

APK is an antiquated format that originates from Java Jar over two decades ago. It's basically a zip file with some internal structure for signing a manifest of hashes. Google already had to bastardize the APK format to move the signature to ZIP metadata, but there were still tons of problems around key rotation and distribution of large APKs.

This is a natural evolution of the format. It's good for the ecosystem. Whatever guarantees were supposedly provided by having developer (poorly) store their own signing keys are better handled by Google's own infrastructure.