Since 2011, GPlay requires you to use Play Signing. You can have Google generate the keys or you can upload your own keys, but the private key ends up with Google.
You can create a key pair for uploading artifacts (the "upload key") for which you only need to upload the public key, but the signing keys need to end up over at Google.
Older apps (uploaded before August 2021) are exempt, though. Apps distributed through other channels (F-Droid, Amazon App Store, etc.) are also exempt, of course.
Ah, so having to upload the key is new as of Aug 2021. If Google is indeed smart about it, they'd have blocked these compromised keys from being used by developers other than the whitelisted ones.
Since 2011, GPlay requires you to use Play Signing. You can have Google generate the keys or you can upload your own keys, but the private key ends up with Google.
You can create a key pair for uploading artifacts (the "upload key") for which you only need to upload the public key, but the signing keys need to end up over at Google.
Older apps (uploaded before August 2021) are exempt, though. Apps distributed through other channels (F-Droid, Amazon App Store, etc.) are also exempt, of course.