The end goal is to collect application logs from problematic devices of users who post reviews in Play Store. This is achieved by sending a support build (release build with logs) to such users and asking them to reproduce an issue and send logs.
APK signing (OK)
When classic signing scheme (without android app bundles) is used, steps are as follows
generate release and support apks and sign them with the same key
upload release apk to Play Store
upload support apk to a cloud and provide a downloadable link to it
User can now download a support build by a link and install it over release version from market. When new version is available in Play Store, user can successfully update support build to that version.
Google signing (FAIL)
With android app bundles signing, I tried the following
generate release app bundle and sign it with upload key
upload release app bundle to Play Store
generate support apk and sign it with the same upload key
upload support apk to a cloud and provide a downloadable link to it
⚠️ However, users cannot install support build over release build from Play Store, because release build is re-signed by Google (signatures do not match).
I tried to solve this in following ways
a. Sign support apk with the same key that Google uses to sign release bundle.
FAIL: Cannot find the way to download the Google key.
b. Upload support bundle and let Google sign it. Download signed support apk from Play Console.
FAIL: Can only download a set of apks for a specific device. Cannot install them manually.
c. Use Internal app sharing. Upload support bundle and copy a download link.
FAIL: apks for internal sharing are signed with a different key - signatures do not match
My questions
Is there another way to achieve the end goal (get logs from market users)?
Do I miss something in my attempts I mentioned above? Specifically,
is it possible to download a real signing key from Play Console?
is it possible for an average user to install a set of apks generated from an app bundle?
Re-using the same upload key does not mean that Google will re-sign the APK with the same app signing key.
If you want the support APK to be signed with the same key as your main app, you need to request it explicitly when you enroll in App Signing by Play:
To answer your other questions:
It is not possible to download the signing key from Google Play.
The best way for an average user to download APKs generated from App Bundle is from Play. You can provide a link to any version you published that they can open directly on their device. If you meant sideloading APKs generated from App Bundle, then it is not easy for the average users since that will require running a command line tool (bundletool).
Your best option in this situation is to create an Internal Test track in Google Play console, and invite the user in as an internal tester. Upload your debug bundle into the Internal Test track, and using Bundle Explorer you can copy the direct build URL and share that with the user.
They will need to opt in to your beta program first, and "join the beta" on your app's Play Store listing.
Related
This is actually being done in Xamarin but thats technically not specific to the question.
I've been running a build CI/CD that currently was signing (with my own custom key) an APK and deploying it to App Center (its actually building an AAB and then making a fat APK from it fyi).
This has all been working fine for months for internal, daily builds of the app.
Now I'm deploying release candidates to Google Play Console and I have my CI/CD deploying AAB bundles.
The first bundle was signed with this same key and as I understand it that key is now the 'upload key' for google play, but because I'm deploying AAB (and I believe, by August we HAVE to), Google insists on signing the AAB for me.
This now means, if someone in our team installs the Internal track AAB, they then can't install an updated test build from AppCenter over the top as they are signed differently.
Is there anyway around this? Can I get the key google signed the build with and use that when uploading to AppCenter (I realise our team will need to at least uninstall an older signed build form AppCenter to then get updates but will be fine from that point out).
Ideally I want to be able to install updates from AppCenter and Google Play over the top of each other as long as their versions are incrementing.
There is unfortunately no way of requesting the signing key from Google. If you didn't provide Google with the signing key when you initially enrolled in Play Signing, then you will likely never have access to the signing key.
What you can do however is download the universal APK signed by Google (from the Bundle Explorer in the Play Console), then upload it to AppCenter. But I'm not sure if there is a download API available today to automate this operation on your CI.
With the thanks of Pierre's answer I didn't realise there was an option to create the Play signing key from an existing key using the pepk.jar
I redid the app this way and its working installing builds from AppCenter and Google Play on top of each other!
I have app using Play App Signing. I want upload app to Huawei App Gallery. Google recommend to download signed, universal APK from bundle explorer and then upload to store outside Google Play.
If you also distribute your app outside of Google Play or plan to
later and want to use the same signing key, you have two options:
Either let Google generate the key (recommended) and then download a
signed, universal APK from the app bundle explorer to distribute
outside of Google Play. You can also download signed APKs from the
Google Play Developer API.
Or you can generate the app signing key
you want to use for every app store, and then transfer a copy of it to
Google when you opt in to Play App Signing.
https://support.google.com/googleplay/android-developer/answer/9842756?hl=en
How I can automate this with Fastlane so I not need to manually download universal APK from bundle explorer every time?
I suggest generating your own script using Google Play Store Developer API
This is the reference page
https://developers.google.com/android-publisher/download-apks
You can follow this page to learn how you can generate the token for your download script
https://developers.google.com/android-publisher/getting_started
Generating tokens might be a little tricky if you are not familiar with the process, but the rest of the process is easy,
Generate Bearer access token
Use the token and your package name to generate Edit ID
Use the Edit ID to upload your Bundle and Deobfuscation files
Update your edit
Commit your edit
Get the list of available signed APKs
Download your signed APK
Remember, you have to upload a bundle because there is no signed APK API if you upload an APK in step 3.
Also, it is better when updating your edit to use the draft status in step 5, it enables you to test the signed APK before release.
You can find the detail of all API in the link I have shared
When I created an app bundle in Android Studio, a "private_key.pepk" file was generated along side the app bundle. In an old tutorial of publishing an app bundle in the Google Play Console I have noticed "private_key.pepk" file was required to upload for generating the app signing key.
This is the first time I am publishing an app bundle. Besides, I am publishing it in the new web version of the Google Play Console. I just uploaded my app bundle and uploading "private_key.pepk" file was not required to generate the app singing key.
Does it mean we do not need the "private_key.pepk" file anymore or I just made a mistake while publishing my app bundle?
There are multiple ways to enroll in Play Signing in the Play Console.
If you're publishing a new app:
By default, Play Console will generate the private key when you upload your first APK/AAB
There is an advanced option before uploading the first APK/AAB which allows you to choose which key you want to sign the APKs that Play will sign with. When opting for this option, Google gives you a set of commands to run using the PEPK tool.
If you're enrolling in App Signing after having published at least one APK/AAB:
You need to transfer the private key to Google. The Play Console gives the set of commands to run using the PEPK tool, but as a convenience, Studio has already run the commands for you and already provides you the encrypted key to upload: the file private_key.pepk.
You are likely in case #1, in which case the key used to sign your APK/AAB was used as an upload key and will be used by Play to ensure that the artifact was not modified between you generating it and it reaching Google servers. All your future uploads will need to be signed with the same key.
And thus the file private_key.pepk is of no use for you.
How can I sign my APK same as AAB (android app bundle)?
I have 2 problem
1- I want to use sms-retriever and want has same hash string for both APK and AAB
2- I upload my add in google play and unofficial android app stores , In google pplay I upload AAB file , and as the unofficial store cannot support AAB I upload universal APK , the problem is If someone download app from play store , they cannot update it form unofficial android app stores and vise versa , because the sign is different
You can check whether your app are using App Signing by accessing Release management > App signing. If you opted in, you can not disable it.
Note: Opting in to app signing by Google Play applies for the lifetime of your app
In the recent try for uploading a new version of apk for existing application to PlayStore, threw an warning message as mentioned below
So the question is, is it mandatory to upload only aab files to PlayStore or normal apk file can also be updated.
If aab file has to be uploaded, then how to sign the aab file before uploading.
I referred this Link for Goolge App signing. Is this also required ?
Note:
The application developed is a cordova application. So if the above mentioned things are mandatory is the procedure different to build for cordova application ?
Thanks in advance !
"Important: In the second half of 2021, new apps will be required to
publish with the Android App Bundle on Google Play. New apps larger
than 150 MB must use either Play Feature Delivery or Play Asset
Delivery".
Taken from
https://developer.android.com/guide/app-bundle
So the question is, is it mandatory to upload only aab files to PlayStore or normal apk file can also be updated
Normal APK can also be uploaded / updated. This is just a warning and not an error message. Google Play will still allow you to continue
If aab file has to be uploaded, then how to sign the aab file before
uploading.
In Android Studio, when building signed APK / AAB, it will ask you to export an encrypted key. Take note of the location because you will use this exported key when you upload your AAB. See highlighted in yellow
I referred this Link for Goolge App signing. Is this also required ?
Nope, it's optional. Quoting Google Play Support:
Using app signing by Google Play is optional. You can still upload an APK and manage your own keys instead of using an app bundle. However, if you lose your keystore or it becomes compromised, you won’t be able to update your app without publishing a new app with a new package name. https://support.google.com/googleplay/android-developer/answer/7384423