Skip to content Skip to sidebar Skip to footer
Home / cant upload new apk to google play app signing

cant upload new apk to google play app signing

Post a Comment

When distributing our Android Applications nosotros've ever been required to sign our APK using a keystore for our application — this has allowed us to ensure that only the developer(southward) of our app are able to upload updated APKs to the play console. However, because this keystore acts as a fingerprint to the lifecycle of our awarding — if anything was to happen to this and so nosotros striking a bit of a tricky situation. Because of the disadvantages that the electric current signing process brings, Google Play App Signing is here to assist make things smoother. In this commodity I want to swoop into this App Signing method so that we can get information technology integrated into our applications.

App Signing is a new process available for developers that allows the states to offload the signing of our release APKs onto Google. Once we have provided the Play Panel with our app signing fundamental, we can upload our APK and Google will sign them for u.s.a. prior to delivering information technology to our users.

Whilst the current way of signing APKs works, there are some flaws which can often bring a lilliputian chip of fear to the minds of developers:

  • If you lose your key and so this prevents you from updating your application. Maybe your computer fails, your backup is lost or information technology is simply misplaced in some style — any state of affairs where your cardinal is lost ways yous will non be able to update your awarding.
  • Your key could get compromised past someone with malicious intent — in this case the person with the primal can update your application and because there is no way of revoking this access, there'southward non also much you can do to regain access to your central.

When using Google App Signing, the huge advantage is that Google manages the signing fundamental for our application — meaning that nosotros tin salvage the force per unit area of existence completely responsible for our keystore. When it comes to App Signing there are two different keys that are used for the signing process:

  • App Signing Key — The key used past Google to sign the APK prior to release
  • Upload Key — A primal used by the programmer to upload the APK to the Play Console

Every bit you can see, developers will still be required to keep their ain copy of the Upload Key for use when uploading APKs — the divergence now is that this Upload Key is not responsible for the signing of a release build, it is simply used to identify the developer who is making the upload. Because this is not a unique key used for signing the release APK of an awarding, it means that information technology tin be replaced by Google at any time. So if an Upload Cardinal is lost, compromised or should no longer accept upload rights for whatever reason so Google can revoke this primal and generate a new i for apply.

And so to sum this up, you lot tin view the Upload Key every bit an authoritative key, but not a master fundamental — information technology gives permission for the Programmer to upload APKs to the Play Console but non distribute them, that part comes nether the permissions of the App Signing Key.

If y'all're uploading APKs for your application then this process is completely optional, you are welcome to continue managing your own keys — bearing in heed that you will not be able to make use of any advantages that App Signing brings. For example, if your signing key is lost or compromised then you will non longer be able to upload updated APKs for your application.

When it comes to the Android App Package format, App Signing is a compulsory process. This is because when it comes to App Bundles, Google Play needs to be able to sign the APKs for you before distribution — and so there is no fashion to exist able to acquit out this flow when keys are managed by the developer.

Regardless of whether you're using APKs or the App Bundle format, allow's take a await at how we can setup App Signing in our ain applications.

Porting an existing app

For this case we're going to have a wait at enabled App Signing for an existing application in the Play Panel. Before we get started though it is important to annotation that one time you lot opt-in for App Signing you cannot switch back to manual cardinal management — and then exist sure that yous definitely want to brand the switch earlier you enable information technology. And if y'all're unsure, maybe try it out on a sample app just to be certain (that's exactly what I did!).

To begin with, we need to navigate to the App Signing section in the console. This can exist found in the Navigation Drawer under Release Management > App Signing. When y'all reach this page, you will be presented with the Terms of Service for App Signing that you will need to accept before you can continue.

On this screen you lot'll so notice that you have iii options to setup App Signing, we'll be using the second, You haven't exported your app signing key, selection to export and upload our signing cardinal.

Configure an app signing cardinal

You'll demand to begin by downloading the Play Encrypt Private Primal tool (in the form of a jar file) that will exist used to encrypt your key earlier uploading. Once downloaded, you'll see the command inside the setup procedure that you lot demand to run, this will look a little something like this:

            java -jar pepk.jar — keystore=your.keystore              — allonym=your_alias— output=some_file_name              —-              encryptionkey=your_encryption_key

Here y'all'll execute the pepk.jar file that we previously downloaded and pass some information along equally arguments.

  • To begin with we must provide the path to the keystore which nosotros wish to encrypt.
  • Next, we provide the alias which is used to access the keystore that nosotros are encrypting.
  • We then provide a desired file name for the output statement, this will exist the name of the file that is generated for united states of america
  • Finally, the encryption cardinal value which is provided in the code displayed by the Play Console during this process.

When you run this command you will exist asked for your keystore password. Upon inbound information technology, the app signing key will be generated and placed in the given output path. At this point y'all tin can then upload the cardinal using the given button in the setup process.

Configure an upload key

Just earlier you hitting the enrol push, you may detect an optional section which offers enhanced security for your awarding signing key — this is referring to the upload cardinal that we previously brushed over and the keystore used to generate this. Whilst this may experience similar no change from previously managing a key — the whole bespeak of this is to allow a different cardinal to be used for the upload process than the signing process. The upload fundamental is not a part of the Android security model, so information technology cannot exist used to sign APKs, only upload them.

Generating an upload key is a single step process. We tin create a new keystore for our upload process, and then use the following control to generate the required pem file for upload.

            keytool -consign -rfc -keystore              upload-keystore.jks              -alias              upload              -file              upload_certificate.pem

Once generated, yous volition be able to upload this file to the panel where requested.

One time you've hitting enrol, the App Signing screen will be reloaded and yous volition exist shown the success discover for App Signing setup:

Yous'll also discover hither that there are a collection of fingerprints bachelor for both the Signing and Upload certificates, available for download should they be required.

Now at any point if your upload key is lost of compromised, yous can create a new Upload Central using the same steps that nosotros carried above and contact Google through this form to provide a new upload fundamental to be used. Note, only the account possessor will be able to make this request.

Signing for new Applications

If you're creating a new application then this whole process doesn't use to you, as App Signing is enabled by default for you! When visiting the App Releases section of the play console for a new application (once you've uploaded an APK), y'all'll come across the following message:

Whilst virtually of the work here is done for u.s.a., there'south a couple of options that nosotros can employ to configure our keys here. To brainstorm with, if you choose not to dismiss the bulletin using Continue, you can Opt Out of App Signing by hitting the button shown on the left hand side.

However, yous also have the choice to reuse a signing key — this ways that the Signing Cardinal used past Google Play for another projection of yours can also be used for this new project that you're creating. This can however pose a security risk as if for whatever reason your business relationship become compromised, then all of your applications that depend on the compromised central could be at hazard.

In this commodity we've learnt about what App Signing is and how we can integrate it into our upload / release process. Putting this in place allows you to remove the responsibleness of security from your team and let Google accept care of that side of things — protecting you from losing or having your primal become compromised. If yous have any questions about App Signing, or experiences to share of your own so delight arrive touch!

stewartsaidee1971.blogspot.com

Source: https://medium.com/google-developer-experts/exploring-google-play-app-signing-b4d296f4ee9

Post a Comment for "cant upload new apk to google play app signing"