Google Play and the Certificate Used to Sign the Apk You Uploaded Have Fingerprint:

Android requires that all APKs exist digitally signed with a certificate before they are installed on a device or updated. When releasing using Android App Bundles, you demand to sign your app parcel with an upload fundamental earlier uploading it to the Play Console, and Play App Signing takes intendance of the residual. For apps distributing using APKs on the Play Store (created before August 2021) or on other stores, you lot must manually sign your APKs for upload.

This folio guides you through some important concepts related to app signing and security, how to sign your app for release to Google Play using Android Studio, and how to configure Play App Signing.

The following is a high-level overview of the steps y'all might demand to have to sign and publish a new app to Google Play:

1. Generate an upload fundamental and keystore
2. Sign your app with your upload key
3. Configure Play App Signing
4. Upload your app to Google Play
5. Prepare & roll out release of your app

If instead your app is already published to the Google Play Store with an existing app signing central, or you would like to cull the app signing key for a new app instead of having Google generate it, follow these steps:

1. Sign your app with your app'due south signing key and select the selection to encrypt and export its signing fundamental.
2. Upload your app'south signing primal to Play App Signing.
3. (Recommended) Generate and register an upload certificate for future updates to your app
4. Upload your app to Google Play
5. Set & roll out release of your app

This page also explores how to manage your own keys for when uploading your app to other app stores. If you do not use Android Studio or would rather sign your app from the command line, learn about how to use apksigner.

Play App Signing

With Play App Signing, Google manages and protects your app's signing key for you and uses it to sign your APKs for distribution. And, because app bundles defer edifice and signing APKs to the Google Play Shop, y'all need to configure Play App Signing before you upload your app package. Doing so lets yous do good from the following:

• Use the Android App Packet and back up Google Play's advanced commitment modes. The Android App Bundle makes your app much smaller, your releases simpler, and makes it possible to use feature modules and offer instant experiences.
• Increment the security of your signing key, and brand it possible to use a dissever upload primal to sign the app bundle yous upload to Google Play.

• One time key upgrade for new installs lets you change your app signing central in example your existing one is compromised or if you need to migrate to a cryptographically stronger primal

Play App Signing uses 2 keys: the app signing key and the upload key, which are described in farther particular in the department virtually Keys and keystores. You keep the upload central and utilize it to sign your app for upload to the Google Play Store. Google uses the upload document to verify your identity, and signs your APK(southward) with your app signing key for distribution as shown in figure 1. By using a separate upload key you can request an upload key reset if your key is ever lost or compromised.

By comparison, for apps created before August 2021 that have not opted in to Play App Signing, if you lose your app's signing key, you lose the ability to update your app.

Figure 1. Signing an app with Play App Signing

Your keys are stored on the aforementioned infrastructure that Google uses to store its own keys, where they are protected by Google's Key Management Service. You can learn more nigh Google'south technical infrastructure by reading the Google Cloud Security Whitepapers.

When y'all apply Play App Signing, if you lot lose your upload key, or if it is compromised, you lot tin can contact Google to revoke your erstwhile upload key and generate a new ane. Because your app signing primal is secured by Google, you lot can go on to upload new versions of your app as updates to the original app, even if you change upload keys. To learn more, read Reset a lost or compromised individual upload key.

The next section describes some important terms and concepts related to app signing and security. If you'd rather skip ahead and larn how to prepare your app for upload to the Google Play Shop, go to Sign your app for release.

Keystores, keys, and certificates

Java Keystores (.jks or .keystore) are binary files that serve every bit repositories of certificates and private keys.

A public central certificate (.der or .pem files), also known as a digital certificate or an identity certificate, contains the public key of a public/individual key pair, as well every bit some other metadata identifying the owner (for instance, name and location) who holds the corresponding private key.

The following are the unlike types of keys you should understand:

• App signing key: The fundamental that is used to sign APKs that are installed on a user's device. As part of Android's secure update model, the signing key never changes during the lifetime of your app. The app signing key is private and must be kept undercover. You tin, however, share the certificate that is generated using your app signing key.

• Upload primal: The key you utilise to sign the app parcel or APK earlier you upload it for app signing with Google Play. You must keep the upload key clandestine. However, y'all tin share the document that is generated using your upload central. You may generate an upload cardinal in i of the following ways:

  • If you choose for Google to generate the app signing key for you when you opt in, then the key you lot use to sign your app for release is designated as your upload primal.
  • If you provide the app signing key to Google when opting in your new or existing app, then you lot have the option to generate a new upload key during or after opting in for increased security.
  • If you do not generate a new upload central, you continue to utilize your app signing key as your upload cardinal to sign each release.

  Tip: To keep your keys secure, it'southward a good idea to make certain your app signing key and upload fundamental are different.

Working with API providers

You lot tin download the certificate for the app signing fundamental and your upload fundamental from the Release > Setup > App Integrity folio in the Play Console. This is used to register public fundamental(due south) with API providers; it's intended to be shared, as information technology does not comprise your private key.

A certificate fingerprint is a short and unique representation of a document that is oftentimes requested by API providers alongside the bundle name to annals an app to use their service. The MD5, SHA-1 and SHA-256 fingerprints of the upload and app signing certificates tin exist institute on the app signing page of the Play Console. Other fingerprints can also exist computed by downloading the original certificate (.der) from the same folio.

Sign your debug build

When running or debugging your projection from the IDE, Android Studio automatically signs your app with a debug document generated by the Android SDK tools. The first fourth dimension you lot run or debug your project in Android Studio, the IDE automatically creates the debug keystore and certificate in $HOME/.android/debug.keystore, and sets the keystore and central passwords.

Because the debug certificate is created by the build tools and is insecure by design, well-nigh app stores (including the Google Play Store) do non accept apps signed with a debug certificate for publishing.

Android Studio automatically stores your debug signing information in a signing configuration and so you do not accept to enter it every time yous debug. A signing configuration is an object consisting of all of the necessary data to sign your app, including the keystore location, keystore password, fundamental name, and primal password.

For more than information well-nigh how to build and run apps for debugging, see Build and Run Your App.

Expiry of the debug certificate

The cocky-signed certificate used to sign your app for debugging has an expiration appointment of thirty years from its cosmos date. When the certificate expires, you get a build fault.

To set this problem, just delete the debug.keystore file stored in i of the post-obit locations:

• ~/.android/ on OS Ten and Linux
• C:\Documents and Settings\user\.android\ on Windows XP
• C:\Users\user\.android\ on Windows Vista and Windows seven, 8, and 10

The next time you lot build and run a debug version of your app, Android Studio regenerates a new keystore and debug key.

Sign your app for release to Google Play

When y'all are ready to publish your app, you need to sign your app and upload it to an app store, such every bit Google Play. When publishing your app to Google Play for the outset time, you lot must also configure Play App Signing. Play App Signing is optional for apps created before Baronial 2021. This section shows you how to properly sign your app for release and configure Play App Signing.

Generate an upload key and keystore

If you lot don't already have an upload key, which is useful when configuring Play App Signing, you can generate one using Android Studio as follows:

1. In the carte bar, click Build > Generate Signed Bundle/APK.
2. In the Generate Signed Package or APK dialog, select Android App Bundle or APK and click Next.
3. Below the field for Fundamental store path, click Create new.

4. On the New Fundamental Store window, provide the following information for your keystore and primal, as shown in figure 2.

   

   Figure 2. Create a new upload key and keystore in Android Studio.

5. Keystore

   • Key store path: Select the location where your keystore should be created. Too, a file name should exist added to the end of the location path with the .jks extension.
   • Password: Create and confirm a secure password for your keystore.

6. Fundamental

   • Allonym: Enter an identifying name for your key.
   • Password: Create and confirm a secure password for your key. This should be the same as your keystore password. (Delight refer to the known issue for more than data)
   • Validity (years): Gear up the length of time in years that your primal will be valid. Your primal should be valid for at to the lowest degree 25 years, so you lot can sign app updates with the same key through the lifespan of your app.
   • Certificate: Enter some data about yourself for your certificate. This data is non displayed in your app, but is included in your certificate as part of the APK.

7. Once you complete the grade, click OK.

8. If you would similar to build and sign your app with your upload key, continue to the department about how to Sign your app with your upload fundamental. If you only want to generate the fundamental and keystore, click Abolish.

Sign your app with your cardinal

If you already have an upload cardinal, use it to sign your app. If instead your app is already signed and published to the Google Play store with an existing app signing key, use it to sign your app and make sure to encrypt and export information technology to opt your app in to Play App Signing. Y'all tin afterward generate a separate upload key and annals your upload key's public certificate with Google Play to sign and upload subsequent updates to your app.

To sign your app using Android Studio, and export an existing app signing primal, follow these steps:

1. If you don't currently have the Generate Signed Parcel or APK dialog open, click Build > Generate Signed Bundle/APK.
2. In the Generate Signed Packet or APK dialog, select either Android App Package or APK and click Side by side.
3. Select a module from the drib downwardly.

4. Specify the path to your keystore, the alias for your cardinal, and enter the passwords for both. If you oasis't withal prepared your upload keystore and key, first Generate an upload central and keystore and so return to complete this step.

   

   Figure three. Sign your app with your upload key.

5. If you're signing an app parcel with an existing app signing key, and you lot'd like to later on opt your app in to Play App Signing, bank check the box next to Export encrypted central and specify a path to save your signing key equally an encrypted *.pepk file. You can and then use your encrypted app signing primal to opt in an existing app into Play App Signing.

6. Click Next.

7. In the next window (shown in figure 4), select a destination folder for your signed app, select the build blazon, choose the production flavor(s) if applicable.

8. If y'all are building and signing an APK, yous need to select which Signature Versions you desire your app to support. To learn more, read about app signing schemes

9. Click Finish.

   

   Figure four. Generate a signed version of your app for the selected product flavors.

Figure v. Click the link in the popup to analyze or locate your app bundle, or locate your exported signing key.

After Android Studio finishes building your signed app, you lot can either locate or analyze your app by clicking on the advisable option in the pop-up notification. If you selected the option to export your signing key, you can quickly navigate to it by clicking the dropdown arrow in the bottom right corner of the popup to aggrandize information technology and clicking Prove Exported Key File, as shown in effigy 5.

Now you're set up to opt your app in to Play App Signing and upload your app for release. If you're new to the app publishing process, yous may want to read the Launch overview. Otherwise, go on to the page about how to Upload your app to the Play Panel.

Using Play App Signing

As described before in this page, configuring Play App Signing is required to sign your app for distribution through Google Play (except for apps created earlier August 2021, which may go on distributing self-signed APKs). The steps you need to accept depend on whether your app has non yet been published to Google Play, or your app is already signed and was published earlier August 2021 using an existing app signing primal.

Configure a new app

To configure signing for an app that has non yet been published to Google Play, proceed equally follows:

1. If you haven't already done so, generate an upload key and sign your app with that upload central.
2. Sign in to your Play Panel.
3. Follow the steps to fix & curl out your release to create a new release.
4. Afterward you choose a release rails, configure app signing under the App Integrity section as follows:
   • To have Google Play generate an app signing fundamental for y'all and use it to sign your app, you lot don't have to do annihilation. The key you use to sign your get-go release becomes your upload central, and you should use it to sign future releases.
   • To apply the same key as another app on your programmer business relationship, select Alter app signing key > Use my ain primal > Use the same central as another app in this business relationship, select an app, and then click Continue.
   • To provide your own signing key for Google to employ when signing your app, select Modify app signing fundamental > Use my own fundamental and select ane of the options that lets you lot deeply upload a private key and its public certificate.

In the section called App Bundles, click Browse files to locate and upload the app you signed using your upload key. For more data nigh releasing your app, refer to gear up & roll out your release. When you release your app after configuring Play App Signing, Google Play generates (unless you upload an existing key) and manages your app's signing key for you. Simply sign subsequent updates to your app using your app's upload key earlier uploading information technology to Google Play.

If you need to create a new upload cardinal for y'all app, go to the section about how to Reset a lost or compromised private upload primal.

Opt in an existing app

If you're updating an app that's already published to Google Play using an existing app signing cardinal, you can opt in to Play App Signing every bit follows:

1. If you haven't already done so, sign your app using Android Studio with your existing app signing central and make certain to check the box side by side to Export encrypted key to salve your signing key as an encrypted *.pepk file. You'll need this file in a afterwards footstep. This can likewise be washed using the PEPK tool, which you tin can download from the Play Console.
2. Sign in to your Play Console and navigate to your app.
3. On the left menu, click Release > Setup > App integrity.
4. If applicable, review the Terms of Service and select Accept.
5. Select one of the options that all-time describes the signing key you want to upload to Google Play and follow the instructions that are shown. For example, if you used Android Studio to export your app'south signing primal, as described on this folio, select Upload a key exported from Android Studio and upload the *.pepk file for your key.
6. Click Enroll.

You lot should now see a page with the details of your app's signing and upload certificates. Google Play at present signs your app with your existing key when deploying information technology to users. However, ane of the most important benefits to Play App Signing is the power to dissever the key yous use to sign the artifact you upload to Google Play from the cardinal that Google Play uses to sign your app for distribution to users. So, consider following the steps in the next section to generate and register a split up upload primal.

Generate and register an upload document

When you lot're publishing an app that is not signed by an upload key, the Google Play Console provides the pick to register ane for future updates to the app. Although this is an optional step, it'due south recommended that you publish your app with a key that's separate from the 1 Google Play uses to distribute your app to users. That fashion, Google keeps your signing primal secure, and you lot have the option to reset a lost or compromised private upload fundamental. This section describes how to create an upload key, generate an upload certificate from it, and annals that document with Google Play for future updates of your app.

The post-obit describes the situations in which you meet the option to annals an upload certificate in the Play Panel:

• When you publish a new app that's signed with a signing key and opt it in to Play App Signing.
• When y'all are nearly to publish an existing app that's already opted in to Play App Signing, but it is signed using its signing cardinal.

If you are not publishing an update to an existing app that's already opted in to Play App Signing, and you'd like to register an upload document, complete the steps below and continue on to the section almost how to reset a lost or compromised private upload fundamental.

If you lot haven't already done then, generate an upload key and keystore.

Subsequently you create your upload fundamental and keystore, yous need to generate a public document from your upload key using keytool, with the following control:

$ keytool -export -rfc   -keystore          your-upload-keystore.jks          -alias          upload-alias          -file          output_upload_certificate.pem        

Now that you have your upload certificate, register it with Google when prompted in the Play Console or read the section below to register it though the Google Play back up team.

Upgrade your app signing key

In some circumstances, you might want to change your app's signing primal. For example, because you lot want a cryptographically stronger key or your signing primal has been compromised. However, because users tin only update your app if the update is signed with the aforementioned signing primal, information technology'due south difficult to modify the signing key for an app that'southward already published.

If you publish your app to Google Play, you can upgrade the signing key for your published app through the Play Console—your new key is used to sign new installs and app updates, while your older app signing key is used to sign updates for users who installed your app before the fundamental upgrade.

To larn more, read Upgrade your app signing central for new installs.

Reset a lost or compromised private upload key

If you lost your private upload fundamental or your private key has been compromised, you can create a new one and contact the Google Play back up squad to reset the key.

Configure the build process to automatically sign your app

In Android Studio, you lot can configure your project to sign the release version of your app automatically during the build process past creating a signing configuration and assigning information technology to your release build type. A signing configuration consists of a keystore location, keystore password, central allonym, and key password. To create a signing configuration and assign it to your release build type using Android Studio, consummate the post-obit steps:

1. In the Projection window, right click on your app and click Open Module Settings.
2. On the Projection Structure window, under Modules in the left console, click the module you would similar to sign.
3. Click the Signing tab, so click Add .

4. Select your keystore file, enter a name for this signing configuration (as y'all may create more than than 1), and enter the required data.

   

   Figure 7. The window for creating a new signing configuration.

5. Click the Build Types tab.
6. Click the release build.

7. Nether Signing Config, select the signing configuration you just created.

   

   Figure 8. Select a signing configuration in Android Studio.

8. Click OK.

Now every fourth dimension you build your release build type past selecting an option under Build > Build Bundle(due south) / APK(s) in Android Studio, the IDE volition sign your app automatically, using the signing configuration you specified. You tin can observe your signed APK or app bundle in the build/outputs/ directory inside the projection directory for the module you lot are building.

When you create a signing configuration, your signing information is included in plain text in your Gradle build files. If you are working in a team or sharing your code publicly, y'all should go on your signing information secure by removing it from the build files and storing it separately. You lot tin read more about how to remove your signing information from your build files in Remove Signing Information from Your Build Files. For more than almost keeping your signing information secure, read Secure your key.

Sign each product season differently

If your app uses product flavors and you lot would like to sign each flavor differently, you can create additional signing configurations and assign them by flavor:

1. In the Project window, right click on your app and click Open up Module Settings.
2. On the Project Structure window, under Modules in the left panel, click the module you would like to sign.
3. Click the Signing tab, then click Add .

4. Select your keystore file, enter a proper noun for this signing configuration (every bit you may create more than one), and enter the required information.

   

   Figure 10. The window for creating a new signing configuration.

5. Repeat steps 3 and four as necessary until you have created all your signing configurations.
6. Click the Flavors tab.
7. Click the flavour yous would like to configure, and so select the advisable signing configuration from the Signing Config dropdown menu.

   Effigy 11. Configure signing settings by product flavor.

   Repeat to configure any additional product flavors.

8. Click OK.

Yous can also specify your signing settings in Gradle configuration files. For more data, see Configuring Signing Settings.

Manage your own signing key

If you cull not to opt in to Play App Signing (just for apps created before Baronial 2021), you can manage your own app signing key and keystore. Go along in listen, you lot are responsible for securing the key and the keystore. Additionally, your app will not be able to support Android App Bundles, Play Characteristic Delivery and Play Asset Commitment.

When you are gear up to create your own key and keystore, make sure y'all outset choose a strong countersign for your keystore and a separate strong password for each individual primal stored in the keystore. You must keep your keystore in a safe and secure identify. If y'all lose admission to your app signing key or your key is compromised, Google cannot recollect the app signing cardinal for you, and you will not be able to release new versions of your app to users as updates to the original app. For more than data, see Secure your key, below.

If you lot manage your ain app signing key and keystore, when you sign your APK, yous will sign it locally using your app signing key and upload the signed APK direct to the Google Play Shop for distribution as shown in figure 10.

Figure 12. Signing an app when you manage your own app signing key

When you use Play App Signing, Google keeps your signing key safe, and ensures your apps are correctly signed and able to receive updates throughout their lifespans. However, if you determine to manage your app signing key yourself, there are a few considerations you should keep in mind.

Signing considerations

You should sign your app with the same certificate throughout its expected lifespan. In that location are several reasons why you should do and so:

• App upgrade: When the system is installing an update to an app, it compares the document(s) in the new version with those in the existing version. The organization allows the update if the certificates friction match. If you sign the new version with a dissimilar certificate, y'all must assign a dissimilar package name to the app—in this instance, the user installs the new version equally a completely new app.
• App modularity: Android allows APKs signed by the aforementioned certificate to run in the aforementioned process, if the apps so request, so that the system treats them as a single app. In this style you tin can deploy your app in modules, and users can update each of the modules independently.
• Code/data sharing through permissions: Android provides signature-based permissions enforcement, and then that an app tin betrayal functionality to another app that is signed with a specified document. By signing multiple APKs with the same certificate and using signature-based permissions checks, your apps can share code and data in a secure mode.

If you lot plan to support upgrades for an app, ensure that your app signing primal has a validity menses that exceeds the expected lifespan of that app. A validity period of 25 years or more is recommended. When your key's validity catamenia expires, users will no longer be able to seamlessly upgrade to new versions of your app.

If you plan to publish your apps on Google Play, the central you use to sign your app must have a validity period ending after 22 October 2033. Google Play enforces this requirement to ensure that users can seamlessly upgrade apps when new versions are available.

Proceed your key secure

If y'all cull to manage and secure your app signing key and keystore yourself (instead of opting in to Play App Signing), securing your app signing key is of critical importance, both to you and to the user. If you let someone to utilize your primal, or if you go out your keystore and passwords in an unsecured location such that a third-party could detect and use them, your authoring identity and the trust of the user are compromised.

If a third political party should manage to accept your app signing key without your knowledge or permission, that person could sign and distribute apps that maliciously supercede your accurate apps or corrupt them. Such a person could also sign and distribute apps under your identity that attack other apps or the system itself, or corrupt or steal user data.

Your private central is required for signing all future versions of your app. If you lose or misplace your key, you volition not be able to publish updates to your existing app. You lot cannot regenerate a previously generated key.

Your reputation as a developer entity depends on your securing your app signing cardinal properly, at all times, until the key is expired. Hither are some tips for keeping your central secure:

• Select potent passwords for the keystore and fundamental.
• Do not give or lend anyone your private cardinal, and do not allow unauthorized persons know your keystore and key passwords.
• Keep the keystore file containing your individual key in a safety, secure place.

In full general, if you follow common-sense precautions when generating, using, and storing your primal, it will remain secure.

Remove signing data from your build files

When y'all create a signing configuration, Android Studio adds your signing data in plain text to the module's build.gradle files. If you are working with a team or open-sourcing your code, y'all should movement this sensitive information out of the build files so it is not hands accessible to others. To do this, you should create a separate properties file to store secure data and refer to that file in your build files equally follows:

1. Create a signing configuration, and assign information technology to one or more build types. These instructions presume yous accept configured a single signing configuration for your release build blazon, as described in Configure the build process to automatically sign your app, above.
2. Create a file named keystore.backdrop in the root directory of your project. This file should contain your signing information, as follows:

   storePassword=myStorePassword keyPassword=mykeyPassword keyAlias=myKeyAlias storeFile=myStoreFileLocation            

3. In your module's build.gradle file, add code to load your keystore.properties file before the android {} cake.

   Not bad

   ...  // Create a variable called keystorePropertiesFile, and initialize it to your // keystore.properties file, in the rootProject binder. def keystorePropertiesFile = rootProject.file("keystore.properties")  // Initialize a new Properties() object called keystoreProperties. def keystoreProperties = new Properties()  // Load your keystore.properties file into the keystoreProperties object. keystoreProperties.load(new FileInputStream(keystorePropertiesFile))  android {     ... }                

   Kotlin

   ... import coffee.util.Properties import coffee.io.FileInputStream  // Create a variable called keystorePropertiesFile, and initialize it to your // keystore.backdrop file, in the rootProject binder. val keystorePropertiesFile = rootProject.file("keystore.properties")  // Initialize a new Properties() object called keystoreProperties. val keystoreProperties = Properties()  // Load your keystore.properties file into the keystoreProperties object. keystoreProperties.load(FileInputStream(keystorePropertiesFile))  android {     ... }                

   Annotation: Y'all could choose to shop your keystore.backdrop file in another location (for example, in the module folder rather than the root folder for the project, or on your build server if you are using a continuous integration tool). In that case, y'all should alter the code above to correctly initialize keystorePropertiesFile using your actual keystore.properties file's location.

4. You can refer to properties stored in keystoreProperties using the syntax keystoreProperties['propertyName']. Modify the signingConfigs cake of your module'south build.gradle file to reference the signing data stored in keystoreProperties using this syntax.

   Groovy

   android {     signingConfigs {         config {             keyAlias keystoreProperties['keyAlias']             keyPassword keystoreProperties['keyPassword']             storeFile file(keystoreProperties['storeFile'])             storePassword keystoreProperties['storePassword']         }     }     ...   }

   Kotlin

   android {     signingConfigs {         getByName("config") {             keyAlias = keystoreProperties["keyAlias"]             keyPassword = keystoreProperties["keyPassword"]             storeFile = file(keystoreProperties["storeFile"])             storePassword = keystoreProperties["storePassword"]         }     }     ...   }

5. Open up the Build Variants tool window and ensure that the release build blazon is selected.
6. Select an pick under Build > Build Bundle(s) / APK(southward) to build either an APK or app parcel of your release build. Yous should meet the build output in the build/outputs/ directory for your module.

Because your build files no longer contain sensitive information, you lot can now include them in source control or upload them to a shared codebase. Be sure to proceed the keystore.properties file secure. This may include removing it from your source control system.

mendozathadell.blogspot.com

Source: https://developer.android.com/studio/publish/app-signing

Share this post