I have an Android project in my Google Play Developer Console. I managed to automate uploading of nightly build to the Alpha channel but I also need to download the APK to get its md5 hash for my internal purposes.
I can't get md5 hash before uploading because App Signing by Google Play is enabled for this app so each APK file that I upload is re-signed with Google's keystore.
Is there a way to download APK file from Alpha channel for my own project?
You can download original and re-signed APKs from the Play Console, in the Artifact Library.
There isn't an API to download re-signed APKs today unfortunately.
Pierre's answer is correct. However, taking an MD5 hash of your APK is probably a mistake. In particular if you use this for verification you will probably introduce a bug. This is because of Google Play security metadata. This won't be consistent on all versions of your APK, and in particular can change with time without you republishing.
If you need to check the authenticity of your app, can I recommend the primary thing you check is the app signing certificate hash. This should be enough for almost anyone and is what major app developers do. If this is not good enough, please check the hash of any particular section of your app you are worried about (eg the classes.dex or a particular resource file). Please don't check the whole APK, you will cause yourself problems.
Related
This is actually being done in Xamarin but thats technically not specific to the question.
I've been running a build CI/CD that currently was signing (with my own custom key) an APK and deploying it to App Center (its actually building an AAB and then making a fat APK from it fyi).
This has all been working fine for months for internal, daily builds of the app.
Now I'm deploying release candidates to Google Play Console and I have my CI/CD deploying AAB bundles.
The first bundle was signed with this same key and as I understand it that key is now the 'upload key' for google play, but because I'm deploying AAB (and I believe, by August we HAVE to), Google insists on signing the AAB for me.
This now means, if someone in our team installs the Internal track AAB, they then can't install an updated test build from AppCenter over the top as they are signed differently.
Is there anyway around this? Can I get the key google signed the build with and use that when uploading to AppCenter (I realise our team will need to at least uninstall an older signed build form AppCenter to then get updates but will be fine from that point out).
Ideally I want to be able to install updates from AppCenter and Google Play over the top of each other as long as their versions are incrementing.
There is unfortunately no way of requesting the signing key from Google. If you didn't provide Google with the signing key when you initially enrolled in Play Signing, then you will likely never have access to the signing key.
What you can do however is download the universal APK signed by Google (from the Bundle Explorer in the Play Console), then upload it to AppCenter. But I'm not sure if there is a download API available today to automate this operation on your CI.
With the thanks of Pierre's answer I didn't realise there was an option to create the Play signing key from an existing key using the pepk.jar
I redid the app this way and its working installing builds from AppCenter and Google Play on top of each other!
In the recent try for uploading a new version of apk for existing application to PlayStore, threw an warning message as mentioned below
So the question is, is it mandatory to upload only aab files to PlayStore or normal apk file can also be updated.
If aab file has to be uploaded, then how to sign the aab file before uploading.
I referred this Link for Goolge App signing. Is this also required ?
Note:
The application developed is a cordova application. So if the above mentioned things are mandatory is the procedure different to build for cordova application ?
Thanks in advance !
"Important: In the second half of 2021, new apps will be required to
publish with the Android App Bundle on Google Play. New apps larger
than 150 MB must use either Play Feature Delivery or Play Asset
Delivery".
Taken from
https://developer.android.com/guide/app-bundle
So the question is, is it mandatory to upload only aab files to PlayStore or normal apk file can also be updated
Normal APK can also be uploaded / updated. This is just a warning and not an error message. Google Play will still allow you to continue
If aab file has to be uploaded, then how to sign the aab file before
uploading.
In Android Studio, when building signed APK / AAB, it will ask you to export an encrypted key. Take note of the location because you will use this exported key when you upload your AAB. See highlighted in yellow
I referred this Link for Goolge App signing. Is this also required ?
Nope, it's optional. Quoting Google Play Support:
Using app signing by Google Play is optional. You can still upload an APK and manage your own keys instead of using an app bundle. However, if you lose your keystore or it becomes compromised, you won’t be able to update your app without publishing a new app with a new package name. https://support.google.com/googleplay/android-developer/answer/7384423
I made an app & then created an APK, generated a signed APK (I was using AndroidStudio 3.0).
I tried to post it, but I had this issue: "You must use a different package name because "com.example" is restricted." I searched on youtube then I solved this issue.
Now I have another issue when I publish my APK to Google Developer Console. The APK is signed I don't know why this doesn't work....
The error is: "You uploaded an APK signed with a certificate that is not yet valid. You must sign the APK file with a certificate that is valid"
You should read the whole of the article on "Manage your app signing keys" then maybe re-ask the question when you understand it a little better.
Every app on android is signed. Google will do the signing for you if you opt-in to Google Play App Signing (you should) but you still need to sign your app with an upload key so that Google knows it comes from you, and not some malicious attacker who has taken over your account.
This upload key can be replaced by the Play Console support team, but you should only need to do this in an emergency. Until then you should generate an upload certificate, sign your app with it, and keep the certificate safe.
All the instructions for how to generate an upload key, and sign your app with it are in the article linked above.
Whenever I tried to upload my instant app apks to Play store, it gives the following error :
Your site 'www.mywebsitename.com' has not been linked through the Digital
Assets Link protocol to your app. Please link your site through the
Digital Assets Link protocol to your app.
However, whenever I execute https://developers.google.com/digital-asset-links/tools/generator, it gives success for associating with my app and web site. Any idea why am I getting this error? What may cause this?
Thanks for help in advance.
Please check whether Google Play App Signing is enable on Google Play Console.
If Google Play App Signing is enable, Google Play Console will replace your app key with release key.
And the key you set on Android Studio is treated as upload key.
So, you need to modify your assetlinks.json with release key.
This happened to me when I had generated an assetlinks.json file from my debug keys, rather than the release keys. It shows up as verified in Android Studio, then fails on the server. Double check that the signing config is correct for your asset links file, and that the fingerprint in the file matches the SHA256 fingerprint of your release key. You can get your release key's fingerprint by running
keytool -list -v -keystore ~/my_keystore.jks
Another cause can be if you've enabled Play signing. In that case, you have to use the fingerprint provided in your developer console, not the one for the key you signed the APK with locally (the local one is called your "upload key"). This isn't obvious in Android Studio at all, since its asset link file generator doesn't give you an option to put in a custom fingerprint.
Please check if your website asset link file is not behind some form of authentication, internal IP, or blocked by firewall. Play Store Developer Console can not access the digital asset link file if it is not publicly accessible.
That said, please double check if https://www.mywebsitename.com/.well-known/assetlinks.json is accessible from external network (switch to a public wifi and verify the json file can load properly).
As Jarrod said in a comment, if all else fails then discard the staged release and re-upload the APK. Just now worked for me.
At the moment, I am extending an app that has been developed by somebody else.
From the client I got the original keystore file that was used to publish the app to the Play Store including the passwords required. I previously gave out test versions that were signed using some dummy key I generated for this purpose.
I am using Eclipse Indigo with ADT for all the packaging and signing.
The strange thing is, that even after creating a signed application package using the official key, the older test version using the dummy key gets overridden on installation. If I try and install the App from the Play Store, I get a second App on my phone, exactly as if it were signed with a different key.
I tried to
keytool -printcert -file META-INF/CERT.RSA | egrep "^\s+MD5|^\s+SHA"
on the contents of my own generated apk files and those of the apk file from the Play Store. I get the same hashes on my own file signed with the official key and the file from the Play Store. The file signed with the dummy key results in different hashes, exactly as I would expect it to be.
However, my phone (and the one from my client) treat both apk files from me as one app, and the version from the Play Store as another one.
Is there anything else that identifies an app aside from package name and the key that has been used to sign it? I'm pretty confused right now to be honest. Thanks in advance for any hint!
I found out the source of the problem. In fact, there wasn't any problem at all despite the one in front of the monitor... The package name in the Play Store had been altered after the source code had been copied for me. So there simply was a tiny difference in the package name between my own files and the Play Store. At least I have learned pretty much about determining the fingerprint of an apk file...