I'm trying to publish my first InstantApp. It's a brand new app, so I first published the app in the "installed way" and when I tried uploading the instant-app.zip I got the error:
Upload failed
You uploaded an APK with an invalid signature (learn more about signing). Error from apksigner: ERROR: NO_SIG_FOR_TARGET_SANDBOX_VERSION: Missing APK Signature Scheme v2 signature required for target sandbox version 2 ERROR: JAR_SIG_NO_SIGNATURES: No JAR signatures.
I thought it was the lacking of signing key and signed using gradle:
signingConfigs {
release {
keyAlias 'somealias'
keyPassword 'somepass'
storeFile file("$rootDir/some.jks")
storePassword 'some'
}
}
buildTypes {
release {
signingConfig signingConfigs.release
minifyEnabled false
shrinkResources false
proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
}
}
Does anyone passed through this issue?
It sounds like Play is seeing an APK which is not signed at all. There are two error messages: (1) that there's no APK Signature Scheme v2 signature (this is required for Instant Apps), and (2) that there's no JAR signature (this is required if the app's minSdkVersion is lower than 24).
To check whether your APK is properly signed:
apksigner verify -v my.apk
Try this for every APK inside the ZIP you're uploading.
Related
I am generating an APK file for the flutter app using:
flutter build apk
and it generates the following file:
build/app/outputs/flutter-apk/app-release.apk
I was always able to install this apk on my phone or any other phone to test it. But recently I started getting the following warning when installing the app:
And then when I tap "Continue", I get this error: "App not installed".
Since this error is new, I though maybe that's due to a change that I recently made. And the only change that could've affected the apk file is that I regenerated the key.jks file which is used to sing the apk file. That file is used in the android/build.gradle file:
signingConfigs {
debug {
storeFile file('key.jks')
storePassword '**********'
keyAlias 'androiddebugkey'
keyPassword '**********'
}
}
buildTypes {
debug {
signingConfig signingConfigs.debug
}
release {
// TODO: Add your own signing config for the release build.
// Signing with the debug keys for now, so `flutter run --release` works.
signingConfig signingConfigs.debug
}
}
What could be causing this error? I also tried "flutter clean" but that didn't help.
I'm making aab file for releasing.
We're using flutter.
Last release is uploading signed apk file to google play store,but this time for we can't upload 32bit and 64bit apk separately, so we tried to use appbundle.
We do have signature when we release apk file.
And because the release operation(upload apk file to google play) is handled by other team, so I don't know whether I need to use a new signature for aab file's release.
Here is my setting,just the same with last time
signingConfigs {
release {
keyAlias keystoreProperties['keyAlias']
keyPassword keystoreProperties['keyPassword']
storeFile file(keystoreProperties['storeFile'])
storePassword keystoreProperties['storePassword']
}
}
buildTypes {
release {
// TODO: Add your own signing config for the release build.
// Signing with the debug keys for now, so `flutter run --release` works.
signingConfig signingConfigs.release
}
}
and I have key.properties file
storePassword=XXX
keyPassword=XXX
keyAlias=XXX
storeFile=O:\\sourceCode\\key\\key.keystore
And for release, I set build variant as release, as introduced in flutter official doc
simply "No" you don't need new signature to create app bundle. your old signature will work fine
Currently, I sign the app in the following manner where keys are read from env in CI.
signingConfigs {
release {
storeFile file(System.getenv("ANDROID_KEYSTORE_PATH"))
storePassword System.getenv("KEYSTORE_PASSWORD")
keyAlias System.getenv("KEY_ALIAS")
keyPassword System.getenv("KEY_PASSWORD")
}
}
buildTypes {
release {
signingConfig signingConfigs.release
manifestPlaceholders = [excludeSystemAlertWindowPermission: "true"]
}
}
But this method will make the passwords available if someone decompiles the apk.
Is there a way by which keys are only used during the signing and then stripped from code and then uploaded to Play store?
Or if someone can point me to more secure ways of signing apk's?
This details doesn't get bundled in a apk file, so even if someone de-compiles your apk he wont get to see this.
You can alternatively use android studio to create a signed apk.
Check this link to see how it is done
I have trouble with updating the debug version of the app's apk:
Installation failed with message Failed to finalize session : INSTALL_FAILED_UPDATE_INCOMPATIBLE: Package [here our package] signatures do not match the previously installed version; ignoring
Two developers. Two PC's with same Android Studio versions (3.2.1). But when I try to install - have this, when the second developer make a debug apk with the same code (with git) it installs normally.
If I make an apk - it's an error occurred via an update of a version of the second developer on a different device (tester).
What I've tried already:
Restart Android Studio.
Clean and Rebuild.
Invalidate Caches and Restart.
Build apk and installed from the device. ("Application doesn't install" error occurred during update)
Increase versionCode.
The device is a Lenovo TB-X103F tablet on Android 6.0.1.
You need to use the same debug keystore. Your colleagues' keystore will be at:
Windows: C:\Users\USERNAME\.android\debug.keystore
Linux / Mac: ~/.android/debug.keystore
3 solutions are below in descending order of correctness:
In the long term, this should be configured inside your project, so that anyone with the project can sign the debug builds. This is done by configuring your build.gradle like so.
You can also set your signing config inside Android Studio, so you are not reliant on copying his file in the future. Here is how to set it.
You could also just replace your debug keystore in that location with your colleagues, so you are using the same config.
Different keystore files cause this warning. For the exact solution;
-Create your own keystore files for each build types.
-Define buildTypes and SigningConfigs in app level gradle file
like this:
signingConfigs {
release {
keyAlias '******'
keyPassword '******'
storeFile file('...\\release.jks')
storePassword '******'
}
debug {
keyAlias 'alias'
keyPassword '******'
storeFile file('...\\debug.jks')
storePassword '******'
}
}
buildTypes {
release {
lintOptions {
}
debuggable false
minifyEnabled true
proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
signingConfig signingConfigs.release
}
debug {
debuggable true
minifyEnabled false
signingConfig signingConfigs.debug
}
}
NOTE!!! You can move debug keystore file into project folder(app folder will be a good choice). So both developers have the same keystore easily.
I understand how to generate a signed apk from android studio-> Build menu, but if I have several projects is it possible to automate this task so that for all the projects I could run some script which automatically builds signed apks without me having to generate them one by one ?
Thanks,
Ahmed
Yes this can be done by creating a signed build configuration and specifying the keystore information. This is done by adding a couple sections to build.gradle:
First create the signed build type that uses release mode and runs proguard:
android {
buildTypes {
signed {
debuggable false
minifyEnabled true
proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
signingConfig signingConfigs.signed
}
}
}
Then add the signing configuration (supply your own values):
android {
signingConfigs {
signed {
storeFile file('keystore.jks')
storePassword 'storepassword'
keyAlias 'key'
keyPassword 'keypassword'
}
}
}
Then, you can build from the command line by typing ./gradlew assembleSigned (for Mac OSX) or gradlew assembleSigned (for Windows).
You can also use the installSigned build task to build and install on a connected device.