Ou Uploaded an Apk or Android App Bundle That Is Signed With a Restricted Certificate

Android requires that all APKs exist digitally signed with a certificate before they are installed on a device or updated. When releasing using Android App Bundles, yous demand to sign your app bundle with an upload key before uploading it to the Play Console, and Play App Signing takes intendance of the rest. For apps distributing using APKs on the Play Shop (created earlier Baronial 2021) or on other stores, yous must manually sign your APKs for upload.

This page guides you through some important concepts related to app signing and security, how to sign your app for release to Google Play using Android Studio, and how to configure Play App Signing.

The following is a high-level overview of the steps y'all might need to accept to sign and publish a new app to Google Play:

1. Generate an upload key and keystore
2. Sign your app with your upload primal
3. Configure Play App Signing
4. Upload your app to Google Play
5. Prepare & roll out release of your app

If instead your app is already published to the Google Play Store with an existing app signing primal, or you would similar to choose the app signing key for a new app instead of having Google generate it, follow these steps:

1. Sign your app with your app'due south signing cardinal and select the pick to encrypt and consign its signing key.
2. Upload your app's signing central to Play App Signing.
3. (Recommended) Generate and register an upload certificate for future updates to your app
4. Upload your app to Google Play
5. Prepare & coil out release of your app

This page too explores how to manage your own keys for when uploading your app to other app stores. If yous do not use Android Studio or would rather sign your app from the command line, learn about how to apply apksigner.

Play App Signing

With Play App Signing, Google manages and protects your app'due south signing central for you and uses information technology to sign your APKs for distribution. And, because app bundles defer building and signing APKs to the Google Play Store, y'all need to configure Play App Signing before you upload your app bundle. Doing and so lets you lot benefit from the post-obit:

• Use the Android App Package and support Google Play'southward advanced delivery modes. The Android App Bundle makes your app much smaller, your releases simpler, and makes information technology possible to use characteristic modules and offer instant experiences.
• Increase the security of your signing central, and make it possible to employ a separate upload key to sign the app bundle you upload to Google Play.

• I time central upgrade for new installs lets you alter your app signing key in case your existing ane is compromised or if you need to migrate to a cryptographically stronger key

Play App Signing uses two keys: the app signing key and the upload cardinal, which are described in further detail in the section about Keys and keystores. You keep the upload fundamental and use information technology to sign your app for upload to the Google Play Store. Google uses the upload certificate to verify your identity, and signs your APK(s) with your app signing central for distribution as shown in effigy 1. By using a separate upload primal you can asking an upload key reset if your key is ever lost or compromised.

By comparison, for apps created earlier August 2021 that accept not opted in to Play App Signing, if you lot lose your app's signing fundamental, you lose the ability to update your app.

Figure i. Signing an app with Play App Signing

Your keys are stored on the same infrastructure that Google uses to store its own keys, where they are protected by Google'southward Key Management Service. Yous tin can learn more most Google'south technical infrastructure by reading the Google Cloud Security Whitepapers.

When you use Play App Signing, if you lose your upload key, or if it is compromised, you can contact Google to revoke your old upload key and generate a new one. Considering your app signing key is secured past Google, yous can proceed to upload new versions of your app as updates to the original app, even if you change upload keys. To learn more than, read Reset a lost or compromised private upload key.

The next department describes some important terms and concepts related to app signing and security. If yous'd rather skip ahead and larn how to prepare your app for upload to the Google Play Store, go to Sign your app for release.

Keystores, keys, and certificates

Coffee Keystores (.jks or .keystore) are binary files that serve as repositories of certificates and private keys.

A public key certificate (.der or .pem files), besides known equally a digital certificate or an identity certificate, contains the public cardinal of a public/private key pair, besides as some other metadata identifying the owner (for example, name and location) who holds the respective private key.

The following are the different types of keys you should understand:

• App signing key: The key that is used to sign APKs that are installed on a user's device. Equally function of Android's secure update model, the signing key never changes during the lifetime of your app. The app signing key is individual and must be kept cloak-and-dagger. You can, however, share the certificate that is generated using your app signing primal.

• Upload key: The key you use to sign the app package or APK before yous upload it for app signing with Google Play. You must keep the upload key secret. However, you can share the certificate that is generated using your upload fundamental. You may generate an upload key in ane of the following ways:

  • If you cull for Google to generate the app signing central for you when you opt in, then the primal you lot use to sign your app for release is designated equally your upload key.
  • If you provide the app signing key to Google when opting in your new or existing app, then y'all have the choice to generate a new upload key during or after opting in for increased security.
  • If you practice not generate a new upload key, yous keep to use your app signing fundamental as your upload fundamental to sign each release.

  Tip: To go along your keys secure, it's a good thought to make sure your app signing key and upload key are different.

Working with API providers

You tin download the document for the app signing key and your upload key from the Release > Setup > App Integrity page in the Play Console. This is used to register public key(s) with API providers; it's intended to be shared, as it does not comprise your individual key.

A certificate fingerprint is a short and unique representation of a certificate that is often requested by API providers alongside the package name to annals an app to utilise their service. The MD5, SHA-i and SHA-256 fingerprints of the upload and app signing certificates can be institute on the app signing page of the Play Panel. Other fingerprints can also be computed by downloading the original certificate (.der) from the same folio.

Sign your debug build

When running or debugging your project from the IDE, Android Studio automatically signs your app with a debug certificate generated past the Android SDK tools. The outset time you run or debug your project in Android Studio, the IDE automatically creates the debug keystore and certificate in $HOME/.android/debug.keystore, and sets the keystore and key passwords.

Because the debug certificate is created past the build tools and is insecure by blueprint, most app stores (including the Google Play Store) do not accept apps signed with a debug document for publishing.

Android Studio automatically stores your debug signing information in a signing configuration and then you do non have to enter it every time you debug. A signing configuration is an object consisting of all of the necessary data to sign your app, including the keystore location, keystore password, cardinal name, and key countersign.

For more data nearly how to build and run apps for debugging, run across Build and Run Your App.

Expiry of the debug document

The self-signed certificate used to sign your app for debugging has an expiration date of xxx years from its cosmos date. When the document expires, you get a build error.

To ready this problem, simply delete the debug.keystore file stored in one of the post-obit locations:

• ~/.android/ on OS X and Linux
• C:\Documents and Settings\user\.android\ on Windows XP
• C:\Users\user\.android\ on Windows Vista and Windows vii, eight, and 10

The adjacent time you build and run a debug version of your app, Android Studio regenerates a new keystore and debug key.

Sign your app for release to Google Play

When yous are ready to publish your app, you need to sign your app and upload it to an app store, such as Google Play. When publishing your app to Google Play for the first time, you lot must too configure Play App Signing. Play App Signing is optional for apps created before Baronial 2021. This section shows y'all how to properly sign your app for release and configure Play App Signing.

Generate an upload key and keystore

If you don't already take an upload fundamental, which is useful when configuring Play App Signing, y'all can generate one using Android Studio every bit follows:

1. In the menu bar, click Build > Generate Signed Packet/APK.
2. In the Generate Signed Bundle or APK dialog, select Android App Package or APK and click Next.
3. Beneath the field for Fundamental store path, click Create new.

4. On the New Key Store window, provide the following information for your keystore and fundamental, equally shown in figure 2.

   

   Figure ii. Create a new upload central and keystore in Android Studio.

5. Keystore

   • Primal store path: Select the location where your keystore should be created. Also, a file name should be added to the cease of the location path with the .jks extension.
   • Countersign: Create and confirm a secure password for your keystore.

6. Key

   • Alias: Enter an identifying name for your fundamental.
   • Password: Create and confirm a secure countersign for your key. This should be the aforementioned every bit your keystore password. (Delight refer to the known issue for more information)
   • Validity (years): Ready the length of time in years that your central will be valid. Your key should be valid for at least 25 years, so you tin sign app updates with the same key through the lifespan of your app.
   • Certificate: Enter some information nearly yourself for your certificate. This data is not displayed in your app, but is included in your document as role of the APK.

7. Once you complete the form, click OK.

8. If you would like to build and sign your app with your upload key, continue to the section about how to Sign your app with your upload fundamental. If you only want to generate the primal and keystore, click Cancel.

Sign your app with your central

If yous already have an upload primal, use information technology to sign your app. If instead your app is already signed and published to the Google Play shop with an existing app signing cardinal, use information technology to sign your app and make sure to encrypt and export it to opt your app in to Play App Signing. You can later generate a carve up upload central and register your upload key's public certificate with Google Play to sign and upload subsequent updates to your app.

To sign your app using Android Studio, and consign an existing app signing cardinal, follow these steps:

1. If you don't currently have the Generate Signed Bundle or APK dialog open, click Build > Generate Signed Packet/APK.
2. In the Generate Signed Bundle or APK dialog, select either Android App Bundle or APK and click Next.
3. Select a module from the drop down.

4. Specify the path to your keystore, the alias for your fundamental, and enter the passwords for both. If you haven't yet prepared your upload keystore and key, offset Generate an upload key and keystore and and so return to complete this step.

   

   Figure three. Sign your app with your upload primal.

5. If you lot're signing an app bundle with an existing app signing central, and you'd like to after opt your app in to Play App Signing, bank check the box adjacent to Export encrypted key and specify a path to save your signing fundamental equally an encrypted *.pepk file. You can then use your encrypted app signing key to opt in an existing app into Play App Signing.

6. Click Adjacent.

7. In the adjacent window (shown in figure 4), select a destination folder for your signed app, select the build type, choose the product flavor(s) if applicative.

8. If you are edifice and signing an APK, you lot demand to select which Signature Versions y'all want your app to support. To acquire more, read near app signing schemes

9. Click Terminate.

   

   Figure iv. Generate a signed version of your app for the selected product flavors.

Figure v. Click the link in the popup to analyze or locate your app parcel, or locate your exported signing key.

Later on Android Studio finishes building your signed app, y'all can either locate or analyze your app by clicking on the appropriate option in the pop-up notification. If y'all selected the option to export your signing central, yous tin rapidly navigate to it past clicking the dropdown arrow in the bottom right corner of the popup to expand it and clicking Show Exported Primal File, as shown in effigy five.

Now you're ready to opt your app in to Play App Signing and upload your app for release. If you're new to the app publishing process, you may want to read the Launch overview. Otherwise, continue to the page well-nigh how to Upload your app to the Play Console.

Using Play App Signing

Equally described before in this folio, configuring Play App Signing is required to sign your app for distribution through Google Play (except for apps created before Baronial 2021, which may continue distributing self-signed APKs). The steps you lot need to accept depend on whether your app has not nonetheless been published to Google Play, or your app is already signed and was published before August 2021 using an existing app signing central.

Configure a new app

To configure signing for an app that has non yet been published to Google Play, continue every bit follows:

1. If you haven't already done so, generate an upload primal and sign your app with that upload key.
2. Sign in to your Play Panel.
3. Follow the steps to prepare & curl out your release to create a new release.
4. Afterwards you choose a release track, configure app signing under the App Integrity section as follows:
   • To have Google Play generate an app signing cardinal for you and utilise it to sign your app, you don't accept to do anything. The key you lot use to sign your first release becomes your upload fundamental, and you should use it to sign future releases.
   • To employ the same key as some other app on your developer business relationship, select Change app signing key > Use my own key > Use the same primal every bit another app in this account, select an app, and and then click Continue.
   • To provide your ain signing key for Google to utilize when signing your app, select Change app signing primal > Use my ain key and select one of the options that lets yous securely upload a private key and its public document.

In the section chosen App Bundles, click Scan files to locate and upload the app you signed using your upload key. For more data about releasing your app, refer to set up & roll out your release. When y'all release your app afterwards configuring Play App Signing, Google Play generates (unless yous upload an existing fundamental) and manages your app's signing cardinal for you. But sign subsequent updates to your app using your app's upload primal before uploading information technology to Google Play.

If you need to create a new upload fundamental for you app, go to the section about how to Reset a lost or compromised private upload fundamental.

Opt in an existing app

If you're updating an app that's already published to Google Play using an existing app signing primal, you lot tin opt in to Play App Signing every bit follows:

1. If yous oasis't already done then, sign your app using Android Studio with your existing app signing key and make certain to bank check the box next to Export encrypted key to save your signing key every bit an encrypted *.pepk file. You'll demand this file in a after step. This can also be done using the PEPK tool, which you can download from the Play Panel.
2. Sign in to your Play Console and navigate to your app.
3. On the left bill of fare, click Release > Setup > App integrity.
4. If applicable, review the Terms of Service and select Take.
5. Select 1 of the options that all-time describes the signing cardinal you desire to upload to Google Play and follow the instructions that are shown. For instance, if you used Android Studio to consign your app'southward signing key, as described on this page, select Upload a cardinal exported from Android Studio and upload the *.pepk file for your key.
6. Click Enroll.

Y'all should now see a page with the details of your app's signing and upload certificates. Google Play now signs your app with your existing key when deploying it to users. However, 1 of the nearly of import benefits to Play App Signing is the ability to separate the key you employ to sign the artifact you upload to Google Play from the key that Google Play uses to sign your app for distribution to users. So, consider following the steps in the next section to generate and register a split upload central.

Generate and register an upload document

When you're publishing an app that is non signed by an upload key, the Google Play Panel provides the option to register one for future updates to the app. Although this is an optional step, it's recommended that you publish your app with a key that's separate from the one Google Play uses to distribute your app to users. That manner, Google keeps your signing key secure, and y'all have the choice to reset a lost or compromised private upload key. This section describes how to create an upload key, generate an upload certificate from it, and annals that document with Google Play for future updates of your app.

The post-obit describes the situations in which you lot encounter the choice to register an upload certificate in the Play Console:

• When you publish a new app that'south signed with a signing cardinal and opt it in to Play App Signing.
• When you are about to publish an existing app that's already opted in to Play App Signing, but information technology is signed using its signing key.

If you are not publishing an update to an existing app that's already opted in to Play App Signing, and you lot'd like to register an upload certificate, complete the steps beneath and continue on to the section well-nigh how to reset a lost or compromised private upload key.

If you haven't already done so, generate an upload key and keystore.

Later you create your upload key and keystore, you lot need to generate a public certificate from your upload central using keytool, with the following command:

$ keytool -export -rfc   -keystore          your-upload-keystore.jks          -allonym          upload-alias          -file          output_upload_certificate.pem        

At present that you have your upload certificate, register it with Google when prompted in the Play Console or read the section below to register it though the Google Play support squad.

Upgrade your app signing central

In some circumstances, you might desire to change your app's signing primal. For case, considering you lot want a cryptographically stronger key or your signing cardinal has been compromised. However, considering users can but update your app if the update is signed with the same signing fundamental, it's difficult to change the signing fundamental for an app that'south already published.

If you publish your app to Google Play, you can upgrade the signing key for your published app through the Play Console—your new key is used to sign new installs and app updates, while your older app signing central is used to sign updates for users who installed your app before the key upgrade.

To learn more, read Upgrade your app signing key for new installs.

Reset a lost or compromised private upload key

If you lost your private upload key or your private key has been compromised, you can create a new one and contact the Google Play support team to reset the key.

Configure the build procedure to automatically sign your app

In Android Studio, you can configure your project to sign the release version of your app automatically during the build procedure by creating a signing configuration and assigning it to your release build type. A signing configuration consists of a keystore location, keystore countersign, key alias, and key password. To create a signing configuration and assign it to your release build type using Android Studio, complete the following steps:

1. In the Project window, right click on your app and click Open Module Settings.
2. On the Project Structure window, nether Modules in the left panel, click the module you would like to sign.
3. Click the Signing tab, then click Add .

4. Select your keystore file, enter a name for this signing configuration (as you may create more than than one), and enter the required data.

   

   Figure seven. The window for creating a new signing configuration.

5. Click the Build Types tab.
6. Click the release build.

7. Under Signing Config, select the signing configuration you just created.

   

   Figure 8. Select a signing configuration in Android Studio.

8. Click OK.

Now every time you lot build your release build type by selecting an option under Build > Build Package(s) / APK(s) in Android Studio, the IDE volition sign your app automatically, using the signing configuration you lot specified. Yous can find your signed APK or app parcel in the build/outputs/ directory within the project directory for the module you are edifice.

When you create a signing configuration, your signing information is included in apparently text in your Gradle build files. If you are working in a squad or sharing your code publicly, yous should keep your signing information secure by removing it from the build files and storing it separately. Y'all tin read more about how to remove your signing information from your build files in Remove Signing Information from Your Build Files. For more nearly keeping your signing information secure, read Secure your key.

Sign each product flavor differently

If your app uses product flavors and you would like to sign each flavor differently, you can create additional signing configurations and assign them by flavor:

1. In the Project window, correct click on your app and click Open Module Settings.
2. On the Projection Construction window, under Modules in the left panel, click the module y'all would like to sign.
3. Click the Signing tab, then click Add together .

4. Select your keystore file, enter a name for this signing configuration (as you may create more than than one), and enter the required information.

   

   Figure x. The window for creating a new signing configuration.

5. Repeat steps 3 and 4 as necessary until you have created all your signing configurations.
6. Click the Flavors tab.
7. Click the flavor you would like to configure, then select the appropriate signing configuration from the Signing Config dropdown card.

   Figure xi. Configure signing settings by production flavour.

   Repeat to configure any boosted production flavors.

8. Click OK.

You can also specify your signing settings in Gradle configuration files. For more than information, run into Configuring Signing Settings.

Manage your own signing fundamental

If you lot choose not to opt in to Play App Signing (only for apps created before August 2021), you tin can manage your own app signing fundamental and keystore. Go on in listen, y'all are responsible for securing the primal and the keystore. Additionally, your app will not be able to support Android App Bundles, Play Feature Delivery and Play Asset Delivery.

When you are ready to create your own fundamental and keystore, make sure you outset choose a potent countersign for your keystore and a separate strong password for each private fundamental stored in the keystore. You lot must keep your keystore in a prophylactic and secure place. If you lose admission to your app signing key or your key is compromised, Google cannot retrieve the app signing key for you, and you will not be able to release new versions of your app to users every bit updates to the original app. For more than information, run into Secure your fundamental, below.

If you lot manage your own app signing key and keystore, when you sign your APK, yous will sign it locally using your app signing central and upload the signed APK directly to the Google Play Store for distribution as shown in figure 10.

Effigy 12. Signing an app when you manage your ain app signing cardinal

When you lot use Play App Signing, Google keeps your signing key condom, and ensures your apps are correctly signed and able to receive updates throughout their lifespans. However, if you make up one's mind to manage your app signing key yourself, there are a few considerations you should proceed in mind.

Signing considerations

You lot should sign your app with the aforementioned certificate throughout its expected lifespan. There are several reasons why you should do so:

• App upgrade: When the system is installing an update to an app, it compares the document(s) in the new version with those in the existing version. The system allows the update if the certificates match. If you sign the new version with a different certificate, you lot must assign a different packet name to the app—in this case, the user installs the new version every bit a completely new app.
• App modularity: Android allows APKs signed by the aforementioned document to run in the aforementioned procedure, if the apps so asking, so that the arrangement treats them as a single app. In this way you tin deploy your app in modules, and users tin can update each of the modules independently.
• Code/data sharing through permissions: Android provides signature-based permissions enforcement, so that an app can expose functionality to some other app that is signed with a specified certificate. By signing multiple APKs with the aforementioned document and using signature-based permissions checks, your apps tin can share code and information in a secure manner.

If you program to support upgrades for an app, ensure that your app signing key has a validity catamenia that exceeds the expected lifespan of that app. A validity menstruum of 25 years or more is recommended. When your key's validity period expires, users volition no longer be able to seamlessly upgrade to new versions of your app.

If y'all programme to publish your apps on Google Play, the key you utilize to sign your app must accept a validity period ending after 22 October 2033. Google Play enforces this requirement to ensure that users can seamlessly upgrade apps when new versions are available.

Keep your key secure

If you choose to manage and secure your app signing cardinal and keystore yourself (instead of opting in to Play App Signing), securing your app signing central is of critical importance, both to y'all and to the user. If you allow someone to employ your central, or if you lot exit your keystore and passwords in an unsecured location such that a third-party could find and use them, your authoring identity and the trust of the user are compromised.

If a third party should manage to take your app signing key without your knowledge or permission, that person could sign and distribute apps that maliciously replace your accurate apps or corrupt them. Such a person could too sign and distribute apps under your identity that attack other apps or the system itself, or decadent or steal user data.

Your private key is required for signing all future versions of your app. If you lot lose or misplace your key, you will not exist able to publish updates to your existing app. You cannot regenerate a previously generated key.

Your reputation as a developer entity depends on your securing your app signing key properly, at all times, until the fundamental is expired. Hither are some tips for keeping your key secure:

• Select strong passwords for the keystore and key.
• Exercise non give or lend anyone your individual key, and practice non let unauthorized persons know your keystore and key passwords.
• Keep the keystore file containing your private key in a safety, secure place.

In full general, if you follow mutual-sense precautions when generating, using, and storing your key, it volition remain secure.

Remove signing information from your build files

When you lot create a signing configuration, Android Studio adds your signing information in plain text to the module'southward build.gradle files. If yous are working with a squad or open-sourcing your code, you should move this sensitive information out of the build files and then information technology is not easily accessible to others. To do this, you should create a divide backdrop file to store secure information and refer to that file in your build files every bit follows:

1. Create a signing configuration, and assign it to one or more than build types. These instructions presume yous have configured a single signing configuration for your release build type, as described in Configure the build process to automatically sign your app, above.
2. Create a file named keystore.properties in the root directory of your project. This file should contain your signing information, every bit follows:

   storePassword=myStorePassword keyPassword=mykeyPassword keyAlias=myKeyAlias storeFile=myStoreFileLocation            

3. In your module's build.gradle file, add code to load your keystore.properties file before the android {} block.

   Groovy

   ...  // Create a variable chosen keystorePropertiesFile, and initialize it to your // keystore.properties file, in the rootProject folder. def keystorePropertiesFile = rootProject.file("keystore.properties")  // Initialize a new Properties() object called keystoreProperties. def keystoreProperties = new Properties()  // Load your keystore.properties file into the keystoreProperties object. keystoreProperties.load(new FileInputStream(keystorePropertiesFile))  android {     ... }                

   Kotlin

   ... import java.util.Properties import java.io.FileInputStream  // Create a variable called keystorePropertiesFile, and initialize information technology to your // keystore.properties file, in the rootProject binder. val keystorePropertiesFile = rootProject.file("keystore.properties")  // Initialize a new Properties() object called keystoreProperties. val keystoreProperties = Properties()  // Load your keystore.properties file into the keystoreProperties object. keystoreProperties.load(FileInputStream(keystorePropertiesFile))  android {     ... }                

   Annotation: You could choose to store your keystore.backdrop file in another location (for case, in the module binder rather than the root binder for the projection, or on your build server if you are using a continuous integration tool). In that instance, you lot should modify the code above to correctly initialize keystorePropertiesFile using your actual keystore.properties file'south location.

4. You lot tin refer to properties stored in keystoreProperties using the syntax keystoreProperties['propertyName']. Modify the signingConfigs block of your module'southward build.gradle file to reference the signing information stored in keystoreProperties using this syntax.

   Groovy

   android {     signingConfigs {         config {             keyAlias keystoreProperties['keyAlias']             keyPassword keystoreProperties['keyPassword']             storeFile file(keystoreProperties['storeFile'])             storePassword keystoreProperties['storePassword']         }     }     ...   }

   Kotlin

   android {     signingConfigs {         getByName("config") {             keyAlias = keystoreProperties["keyAlias"]             keyPassword = keystoreProperties["keyPassword"]             storeFile = file(keystoreProperties["storeFile"])             storePassword = keystoreProperties["storePassword"]         }     }     ...   }

5. Open the Build Variants tool window and ensure that the release build type is selected.
6. Select an choice under Build > Build Bundle(southward) / APK(s) to build either an APK or app bundle of your release build. You should see the build output in the build/outputs/ directory for your module.

Because your build files no longer incorporate sensitive data, you tin can now include them in source command or upload them to a shared codebase. Exist sure to keep the keystore.properties file secure. This may include removing information technology from your source control organisation.

nixonstife1969.blogspot.com

Source: https://developer.android.com/studio/publish/app-signing

Share this post