Knowledge Base

Google has announced changes to how Certificate Transparency (CT) log lists are published and maintained.

As a result, applications using third-party CT enforcement libraries must migrate to Google’s native CT enforcement libraries found in Android 16+. Any other libraries will cease working and should be removed from your application.

In this article:

• Why is DigiCert publishing this notice?
• What's changing and how does it affect users?
• Application breakage
• More information
   

Why is DigiCert publishing this notice?

DigiCert is publishing this notice as a courtesy to help customers avoid unexpected application failures. The changes described in this article are being made by Google and impact applications that adopted CT enforcement using non-Google libraries.

This issue does not affect the validity of publicly trusted TLS certificates or how DigiCert is logging certificates. The potential breakage risk arises when applications use third-party CT enforcement libraries instead of Google’s current CT enforcement library.
 

What's changing and how does it affect users?

Google is freezing versions of CT log lists that are served to third-party CT enforcement libraries. New logs will not be added to these lists. Google maintains two versions of the list it serves to libraries. Both lists are being frozen with different cutoff dates.

The logs on the frozen lists will go offline over time through the normal CT log lifecycle. As they expire, obtaining a valid set of SCTs from a log on the frozen list will become impossible, causing connections validated by these libraries to fail even though the certificates themselves remain valid and properly logged.

As a last resort for applications that cannot be updated, Google is supplementing the frozen lists with two 'mimic' logs. Because the private keys for these mimics are publicly available, the logs are not considered secure, nor do they have value in the transparency ecosystem. Any certificate can pass the CT check without being logged. DigiCert does not recommend this approach. The correct remediation is to remove the third-party library.

Google is making this change because third-party CT enforcement libraries have not demonstrated they can keep pace with the evolving CT ecosystem or implement industry best practices to minimize application breakage. 
 

Application breakage

Two separate kinds of breakage will occur under this plan. First, signaling breakage which will be deliberate, short outages over 2026 that are an early warning to developers of an issue. The second is a permanent breakage caused by the frozen lists decaying over time.

Temporary application breakage

Google has stated they are attempting to notify affected application developers. Because Google cannot reliably identify or contact all impacted developers, they plan to intentionally break these third-party applications as an early warning signal.

Signaling breakage timeline

• Will start on or after July 1, 2026

• Will occur between July 1 and November 1, 2026

• Will occur no more than once every two weeks

• Will last no longer than 4 hours 

Google will announce the first breakage on ct-policy@chromium.org. Google may not announce additional breakage events before they occur. 

Permanent application breakage

Permanent application breakage will happen progressively as certificates expire. When a certificate expires for a frozen log, a compatible SCT will not be available for its replacement.

If developers do not update their applications, those applications will eventually stop working. The timing depends on how current the application’s third-party CT enforcement libraries are.

Older versions of third-party CT enforcement libraries

Applications that rely on older versions of third-party CT enforcement libraries may stop working at any time.

Most up-to-date versions of third-party CT enforcement libraries

Applications that rely on the most up-to-date third-party CT enforcement libraries may start to break as soon as July 1, 2026. Warnings are already being displayed in the Google Play Console.

All versions of third-party CT enforcement libraries

Before July 1, 2027, all applications that rely on third-party CT enforcement libraries will start experiencing outages unless developers migrate away from third-party CT enforcement libraries and to Chrome’s CT enforcement library.
 

More information

See Google’s full announcement for technical background and guidance on how to prevent application breakage: Upcoming changes for applications using Chrome’s CT Log Lists.