Why would someone want to breach Google's private signing keys? It's easy enough to get malware signed just by submitting it through their ordinary processes.

A better analogy would be the keys used by Microsoft to secure Outlook inboxes.