I enrolled my apps in ‘Google Play Signing’. Now I see in the console the following message:
I thought that it is due the fact that all my apps were initially signed with the same release key (that I uploaded to Google Play Console during the enrolling procedure to Google Play Signing). So I thought that Google Play sees that the same key is used by several apps and consider the key as compromised.
Nevertheless, I see here that it is written:
‘Important: Resetting your upload key doesn’t affect the app signing key that Google Play uses to re-sign APKs before delivering them to users.’
So, I am not sure to understand why I see this warning.
And also I am wondering if there is any risk in doing ‘Request a key upgrade’. Do I have any risk to make the updates of my app impossible? Or a risk to loose my subscribers?
Thanks for your help.
Upgrading the app signing key poses no risk for your users on the Play Store: Play will serve the app signed with the new key to new users and the app signed with the old key to your existing users (until they change device or reinstall your app, then they also get the one signed with the new key), so all upgrades will still work.
If users download your app through side channels (e.g. sideload an APK downloaded from another site), then it will depend if the signatures of the APK installed and the one they’re trying to upgrade match.
The warning in the documentation is to make sure developers don’t confuse upload keys and app signing keys, e.g. thinking that resetting the upload key will fix the warning in the console about a weak app signing key. This is a complete separate process and the two keys are used for two completely different purposes.