How to sign an application package (APK) using OpenPGP (Yubikey)?
Use an USB token or a SmartCard which supports RSA 3072 4096 for personal identity verification? Not even the Yubikey 5 does support that for PIV / FIPS 201-2 (which is a SmartCard emulation). I've searched for a while, but it seems there barely is any hardware which supports it yet (in case it's even applicable); alternatives I could find were RSA SecurID, Nitrokey Pro 2 and Gemalto IDBridge K50.
With APK signing v2 or v3, the strength of the upload key might not even matter that much ... it says RSA 1024, RSA 2048, RSA 4096, RSA 8192, RSA 16384 are being supported, but it says nowhere which strength the actual release key would have, which would be the rather interesting part of it. The V3SchemeSigner hints for PKCS1 V1.5 encoding format; but the only way to find out would be to check the public key of a package from the Play Store by running ssh-keygen -lf ./rsa_key.pub (which shows the fingerprint of the public key file, which also displays the strength of the key).
security.stackexchange.com might provide further clues.