Apparently this requires a hole to be punched in the sandbox to allow android apps to "impersonate" other apps (by way of signature spoofing).

The lineage folks didn't want to merge it in on grounds of security concerns.

(I'm not affiliated with the project, I just read the code reviews because I had the exact same question).

EDIT: for those interested: https://review.lineageos.org/#/c/64967/ and https://review.lineageos.org/#/c/65366/

More information: http://blogs.fsfe.org/larma/2016/microg-signature-spoofing-s...

In order to use MicroG, it is required to patch the ROM to allow app signature spoofing. People from LineageOS claim that this can be a huge security risk (and they are right) but there is no other way to achieve an implementation like this.

So MicroG people created this fork with the patch builtin.

More info here: https://github.com/microg/android_packages_apps_GmsCore/wiki...

See https://lineage.microg.org/#faq7

Also http://blogs.fsfe.org/larma/2016/microg-signature-spoofing-s... is an interesting read

"Wait, on their FAQ page I see that they don't want to include the patch for security reasons. Is this ROM unsafe?

No. LineageOS' developers hide behind the "security reasons" shield, but in reality they don't care enough about the freedom of their users to risk to upset Google by giving them an alternative to the Play Services."

LineageOS's have a policy of not circumventing integrity checks e.g.:

https://www.lineageos.org/Safetynet/

The people behind this ROM seem a bit immature if that's how they react to their policy especially since they're just taking the upstream code wholesale to stick their patch in.