We are encountering an urgent issue with uploading public keys to service accounts in Google Cloud Platform. When we upload a public key to a newly created service account, it is incorrectly labeled as "Google managed" (with the Google icon on the left) instead of "Uploaded" (arrow-up icon). This issue does not occur with older service accounts, where the certificates are uploaded and labeled correctly.

Consequences:

This mislabeling has significant consequences for our product, causing breaking changes. Specifically:

1. The certificate map exposed at: https://www.googleapis.com/robot/v1/metadata/x509/<sa_account@project>.iam.gserviceaccount.com has a different key/id for the uploaded certificate.
2. The expected behavior for uploaded certificates is for the ID to be the SHA-1 checksum of the certificate file (shasum /path/to/file), whereas the expected ID for a Google managed certificate is the SHA-1 checksum of the certificate itself (openssl x509 -in ./public_key.pem -noout -fingerprint).

By changing how the ID gets generated, our product breaks as it cannot find the certificate in the endpoint above.

We are curious to know why this issue is occurring with newly created service accounts and looking for guidance on how to ensure uploaded public keys are correctly labeled as "Uploaded"? Is there a GCP setting or policy that we need to change to resolve this?