I made an Android app and want to release it under GNU GPL. When I upload it to Google Play, I will have to sign it with my digital signature key, so in a sense my private key plays a crucial role in assembling the installation package for my app.
However, users who modify the code can still compile and install an unsigned version if they allowed installing unsigned content on their device, yet still the original .apk file released by me cannot be reproduced this way because they don’t have my signature.
Long story short: do you think GNU GPL version 3 require me to publish my private key as well? (I hope not.)
CAVEAT EMPTOR. I am not a lawyer but I’ve done enough product management to know my way around agreements. If you’re really concerned, then consult a pro lawyer who knows software.
GPL 3 specifies that if there is some device/platform restriction (“tivoisation”), then you are required to include in your readme, about or whatever, instructions on how someone who modifies your software can install it on their device. Since your app is Android, this is straightforward and would require no more than a reference to the root of the Google documentation which describes how to compile, build and release an app to the Play Store.
Nowhere does it say that you must include signing keys or similar facets needed to complete the build. It simply states that nothing must constrain the user in modifying and reusing your code, and not including your key is no impediment to them doing so.
Play Store is designed around all kinds of principals, one of which is one publisher/app, one key. Nothing requires you to publish your key and, one of the ultimate tests in law, no reasonable person would expect you to do so.
From the docs