[vetinari]

You can use self-signed certificate to sign APKs. Once you publish the signed package, you have to use this same certificate for the package forever.

When updating, the system checks, whether the newer APK is signed by the same certificate and refuses update, if the certificate differs.

It simply does not matter, whether your cert is vetted by CA or not. So using PKI would not make sense there.

The rationale was not forcing the developers to purchase signing certificates in order to publish for the platform. It does not make difference anyway.

[justonepost]

The rationale was that Google doesn't want a secure code signing mode as it would undermine their thesis that turning off the Google Play store is insecure.

At least even MacOS has a App Store + Identified Developers. Though of course, iOS doesn't have that..

[vetinari]

> it would undermine their thesis that turning off the Google Play store is insecure.

I don't quite understand. How do you turn off the Play store?

It is necessary to make a distinction between what you want to believe and the reality. The reality is, that requiring validated keys would put the keys to the "official Android" kingdom into CA's hands. In addition, because Android is an open-source project, any alternative distribution would disable that. It would cause real fragmentation of the platform, where apps would run on one distribution and not on another, the difference would be only the signature. Google (correctly) decided, that they do not have to fight this fight.

A side note: getting CA verified can be problem in some parts of the world. What if you are Chinese? Crimean? You can still use Android as it is; you can't use any platform, that requires to be "Identified" by CA.