How long is validity of app signing key when I 'Let Google create and manage my app signing key'?

Question

When we create an app signing key for Android app, we set Validity (years) which should be valid for at least 25 years. For example, I can set it for 100 years.

But past few years, we were introduced Play App Signing. If I create just the upload key (and not create the app signing key by myself), Google creates and manages the app signing key.

Then, I wonder how long validity of app signing key created by Google is? I want it at least for 100 years. Isn't it for 25 years? What will Google do when app signing key expires?

Answer 1

The validity of a certificate is not used in Android security model today. The requirement of the 25 years validity in the Play Console was probably just a rule "in case" Android would eventually change the security model to take into account this field, but it hasn't so far and this is unlikely to change at least until an easy solution to rotate the signing key exists, and even then, it's questionable whether they'd want to start enforcing it.

So, to answer your questions:

• Certificates created by Google have a validity of 30 years.
• Nothing will happen when the certificate expires (since Android ignores the validity date).
• If Android ever decides to start enforcing certificate validity dates (as unlikely as it is), Google isn't just going to let all apps with expired certificates suddenly fail to install, so you can be sure that there will be an easy solution to rotate the certificate by then.