I'm writing a python script to build and sign my android project using gradlew ,
Everyone on the web is talking about how u can lose your generated key and therefor u can lose ability to update your published application. my question is are every generated keys using keytool unique?
and the signed apk using that key would easily be uploaded to google play store and every single app signed using that certain key will be considered as an update ?
thanks .
Yes, every key generated by keytool is unique.
For key management, you basically have a few options:
Generate the app signing key locally, keep it secure, and only use it when generating the release version of your app. Use a separate key for the debug versions of your app.
Generate the app signing key locally, enroll in App Signing by Play supplying your key to Google. During the enrollment, you will be prompted to created another key (called the upload key). You can use the upload key normally to sign the apps you upload to the Play Console, but make sure to keep the app signing in a safe place with strict ACLs. If you lose the upload key, you can always have it reset, so less critical.
The easiest solution (and the default in Play Console) is to enroll in App Signing by Play and let Google generate the app signing key. You are this way sure that you won't be accidentally losing or leaking it, and that it will be secure enough. Also, you'll only have one key to deal with: the upload key, which can be reset if you lose it.
I'd recommend the 3rd option (simplest, most secure), but some people prefer to keep a copy of the key with them and thus opt for the 2nd option. The 1st option is very risky as you seem to have already heard.
Related
Please correct me!!
I read in this article:
https://support.google.com/googleplay/android-developer/answer/7384423
App signing key (1) - managed by Google, is Inaccessible
Upload key (2) - is managed by us
(1) can be different with (2)
How can we obtain the (1) for signing in local?
I need to test update from current version (the latest one on PlayStore which is signed with 1) to the new version N+1.
But since I can not have (1), how can I sign my app for local testing?
Thank you.
Thank Michael for your answer:
When you opt in to have your app signed by Google you can choose to provide an existing key rather than having a new one generated by Google: "To provide your own signing key for Google to use when signing your app, select Advanced options and select one of the options that lets you securely upload a private key and its public certificate". If you've already let Google generate a key for you then I'm not sure if you can redo it (especially if APKs signed with that key have gone out into production).But you could create an Internal Test group for your team and publish new versions there first
You should test with a different key locally. The app signing key is sensitive since it can't easily be changed, so it's good practice to use a separate key for local testing.
If you use APIs that require the certificate to be whitelisted, you can whitelist this test certificate as well.
As you know, after uploading an apk file to google play, you can choose to let Google signs your apk with another key, in order to prevent losing key file for an app. So, every time we upload an apk, it will be signed using this key. Now, this approach has a limitation, consider that you want to sign your apk with this key without uploading apk to google play each time.
So, the question is: Is it possible to download key file and sign my app locally? How? What will be the key password and alias password in this case?
No, it is not possible to download the private key that Google generated to sign your app.
The options I see for your use case are:
Create a new app on the Play Console for your new flavours, and ask to be signed with the same key as your other app. Even without publishing this app externally (e.g. keep it on a test track), Play would generate the APK which you could download immediately after.
Delete your app, and recreate it but this time, give Play the key you want your app to be signed with instead of letting Google generate it. It is possible since a couple of weeks ago.
Hope that helps.
I have been transfered an app and I am releasing an update using react-native, what do I need to be able to get the same signing key?
The original user told me the alias and password? Is this enough or do i need the actual signing file, if I am supposed to create the file do I need to answer all the questions in the same way to get the same signing key?
Thanks for any help
You need the actual .keystore file itself (with password and alias) as you will not be able to re-generate it, even using the same values for each of the parameters with the keygen tool. Without it you won't be able to publish any updates to the Play Store. This applies regardless of using React Native or otherwise as has been discussed on this question.
From the React Native Docs:
Once you publish the app on the Play Store, you will need to republish
your app under a different package name (losing all downloads and
ratings) if you want to change the signing key at any point. So backup
your keystore and don't forget the passwords.
I have been developing an Android application for another person that is to be published to the Google Play Store. They have a developer account, and have given me a key. I have made a build release of the application and now have an unsigned apk. All I have is their key. Is there a way to release this app into the Play store without this keystore I have heard about, just using they key they have provided? All the tutorials and docs I am looking at keep mentioning the keystore, and since this person has their own account with their own key and will be maintaining the app on their own moving forward, it doesn't make sense for me to use my own account.
Alternatively, maybe it is just a situation where I need to give them the unsigned apk key and they are responsible for the remainder of the publishing process. This is less than ideal, because we would like to be able to possibly make some changes to the app after the initial release. Any guidance would be appreciated.
They can create the keystore and send it to you, the keystore should be password protected, then you will have an alias/password pair inside the keystore to access the key you want. When exporting your apk you can select this keystore and sign the package with their key. To make changes in the future you will need to sign it/export it again with the same key and upload it to the Google Play store. If you lose the key you will not be able to upload a new version. You can find more detail at this SO question.
My advice is to generate a keystore the proper way, either the other person needs to or you should and then share the information.
I cant seem to find the answer to this: Is it possible to change signing-key but still use the same packagename? So that the people who bought my app can "re-download" the app with the new key, from the same Google Play page.
The background to this is that I want to extend my signing key to more then 25 years I have set now. Maybe this is enough but I dont want to be put in a situation where the key expires.
If this is not possible, could I remove my current Google Play app and create a new one with the same packagename and another key?
No. If you have an APK signed with a signature and containing a package name installed on a device, any subsequent apk with the same package name must have the same signature.
As of 2019
Yes, you can do this in some cases.
If you've enabled Manage Signing Key by Google then your signing key will be managed by Google and you can add an additional Upload Key which you can change/update if necessary. Google recommends this procedure and this procedure is available for new apps and already published apps.
If you are managing signing key by yourself you can still upgrade the signing key only once in the whole lifetime of the app. Users with the previous key will be able to use and update the app with the legacy signing key and the new users will be enabled with the upgraded key. Here is what quoted in the reference:
In some circumstances, you can request an app signing key upgrade. Your new key is used to sign new installs and app updates. Your legacy app signing key is still used to sign updates for users who installed your app before the key upgrade.
Each app can only have its app signing key upgraded once in its lifetime. In the unlikely event that you have multiple apps using the same signing key specifically to run in the same process, you won’t be able to use key upgrade for those apps.
Details is explained here