Is the Leaked App Signing Key Really Legitimate?

It's root in all but name. Unless you have specifically jailbroken and rooted your phone yourself, it's closer to root than you can get. The whole point of the signing key is this is supposed to prove that this is legit software from Samsung or LG or MediaTek. It seems as if they don't have a written down ready to go policy for if our key gets compromised. And there is no world in which just ignoring a leaked app signing key for four years while you continue to use that key to sign new apps and updates are passable security hygiene anywhere.