I've got a project to do- I got an app and I have some changes to do on that.
The app already been uploaded as a beta version to the Google play developer console,
Now I try to upload a new apk with some changes I made so I sign the APK with my own certificate, well it's says the APK must be signed with the last certificate,
Therefore- I want to know if there is somehow to get the last certificate and sign it by myself or should I ask from the last programmer the certificate that he has been used?
i want to know if there is somehow to get the last certificate and sign it by myself or should i ask from the last programmer the certificate that he has been used?
You answered yourself pretty much here. If you do not have last certificate then you need to ask for it the one who has it, or you must change packageId (thus making it a new app) and then release as new app in to Google Play.
This is related read in official docs: https://developer.android.com/studio/publish/app-signing.html
Related
Our project has multiple android developers that all have access to the Google Play Console, in order to be able to publish APK updates from their respective computers.
As mentioned in the docs and this post here :
The apk must be signed with the same certificates as the previous version
Question:
Is there a way where first developer can share his certificate with second developer, such that second developer is able to publish APK updates to Google Play console?
So far I didn't see any mention of this in the docs or discussion
The initial release of the app was published by the first developer. Now, the second developer would like to publish some updates as well. However this seems to be blocked, such that only APKs signed from first developer's computer will be permitted for Update upload.
Update
For a more established team, I can see the cloud solution from the accepted answer working - but in our case, sharing the certificate file proved to be the most practical solution. It was clean, fast, and solved the requirement without otherwise adding any additional layers to the stack.
One way to deal with this is to use the Google Play App Signing function of the Developer Console. Your signing key can be stored with Google and secondary upload keys are used to generate the build.
When you upload the build, Google will re-sign it with the actual signing key. If another developer comes along, the upload key can be revoked and a new one generated but the actual signing key remains secure in Google-land.
See:
https://developer.android.com/studio/publish/app-signing.html
and:
https://support.google.com/googleplay/android-developer/answer/7384423
I want to upload an updated apk on playstore but I am getting error that my SHA1 certificates are not matching with the previous one. I want to know how I can upload the apk as I am using the same old key that was previously used by the developer.
You are obviously not using the same certificate, hence the message.
The debug certificates are different among computers but from your message I suspect the app is already uploaded to the store, so you need to use the same release certificate used by the other developer. Ask the other developer which certificate he used.
There are many questions about signed and unsigned .apk files.for testing & debugging we can use unsigned .apk file that generated inside bin folder. This apk file generated using a dummy keystore file. My question is why we need to use signed apk. can't we publish a unsigned apk. what's wrong with that?
There's a number of reasons why you want to have a release signed application. There's even a great article about it. Here's a few reasons:
It's a method that the end user can verify that an app is in fact published by the same author.
The release process allows for Android to use additional features, like In App purchases. Without it, Google can't verify that in fact the app is yours.
It's a way of saying that someone trusted released the app.
It is a two step authentication process to verify your app is yours. That gives an added layer of security that can't be done via other means.
Applications signed with the same key are allowed to share resources. The debug certificate is shared by all, and you probably don't want to have that level of access with all of your apps.
Basically, it makes a hacker's life more difficult, which is always a good thing.
For instance, one might give access to the Google Play account to people to modify the description, but you don't want them to upload new apps. Without the key, they can't upload the app. Furthermore, if your google password is cracked, you still can't upload the app. It takes having your private key file and key to crack it.
As #Pearson covered almost all the things but one thing I like to cover.
In Android, you can not install the unsigned application in any how on your developer phone/emulator. You have to sign your application either by debug or your own certificate.
Upon installation, the Android SDK generates a “debug” signing certificate for you in a keystore called debug.keystore. A debug certificate is only valid for 365 days.
So When you install your application through any IDE Eclipse/Android Studio, IDE also sign the app using the debug certificate.
Update
My question is why we need to use signed apk. can't we publish a unsigned apk. what's wrong with that?
You need to sign your app with your own release keystore certificate because you can't publish app which are signed with debug certificate because
One reason is your debug certificate expire within a year so after that you can not release the update of your app Once your debug certificate has expired that why also reason Google does not allow and some more major security concern.
Second reason is android system uses the certificate as a means of identifying the author of an application and establishing trust relationships between applications.
Only people who have enabled debugging in their developer options will be able to run it. And people will need to know how to enable developer options (by clicking on 'Build Number' in the phone settings seven times). Google will not let you publish a debug apk, so people will have to side-load it.
Apk with debug keystore is a signed apk. Unsigned apk can't be uploaded to a device. For production you must create a different keystore to sign with. Also, once published, future updates must be done using the same keystore. If the keystore is lost, the application can't be updated.
An unsigned APK is harder to trace to the original author. Although in principal there is nothing wrong with that, Google forces you to sign your APK before publishing in Google Play. Because of this Google has the power to revoke the certificate when a developer abuses Google Play to publish software, ie. malware.
Also, because you have to pay Google for a certificate, Google hopes that malicious devevelopers won't pay over and over again to publish there application.
From Android Developers:
"The Android system requires that all installed applications be digitally signed with a certificate whose private key is held by the application's developer. The Android system uses the certificate as a means of identifying the author of an application and establishing trust relationships between applications"...
Read all about it here
Hy,
yesterday, I publish an app on play store. I have done a big mistake, I signed the app with debug.keystore so the map is not shown when the app is published.
to solve this, I resign the app with a new keystore and generate a new map key (with new sh1).
but the problem that i can't now publish the new apk, they said (The apk must be signed with the same certificates).
what I can do now ?
You have to use the same certificate when you update your apk or Google Play won't recognize it as the same app.
From Google documentation
Application upgrade – As you release updates to your application, you must continue to sign the updates with the same certificate or set of certificates, if you want users to be able to upgrade seamlessly to the new version. When the system is installing an update to an application, it compares the certificate(s) in the new version with those in the existing version. If the certificates match exactly, including both the certificate data and order, then the system allows the update. If you sign the new version without using matching certificates, you must also assign a different package name to the application — in this case, the user installs the new version as a completely new application.
Source: http://developer.android.com/tools/publishing/app-signing.html
Similar info also here in Android developer blog: http://android-developers.blogspot.com.au/2011/06/things-that-cannot-change.html
Just as important as the manifest package name is the certificate that application is signed with. The signing certificate represents the author of the application. If you change the certificate an application is signed with, it is now a different application because it comes from a different author. This different application can’t be uploaded to Market as an update to the original application, nor can it be installed onto a device as an update.
[...]
In conclusion: There are some parts of your application that can not change. Please be careful.
So I'm afraid you can't do much in this case.
The Android documentation here states:
You must use the same key to sign future versions of your application. If you republish your app with a new key, Google Play will consider it a new app.
There is also a link to this blog that again claims that you can publish an app with the same package name and a different key for the signature although the user will have to eventually uninstall the version signed with the old key.
However when I try to publish an application that I signed with a key that is not the same that was used the first time the application was published I get an error:
You uploaded an APK that is signed with a different certificate to your previous APKs. You must use the same certificate
I have also found the answer here that states that you can't.
So the question is: is it possible and if not why the Android docs says something different?
Technically you can use a different certificate. You just cannot upload it to Google Play if the certificate is different to a previously uploaded one.
Nothing stops you installing the apk manually though after uninstalling the one with a different signature..
You cannot sign with a different key. They won't let you upload it. I don't see where in this blog entry it says you can upload with a different certificate. It seems to be listed under "Things that cannot change."
Just as important as the manifest package name is the certificate that application is signed with. The signing certificate represents the author of the application. If you change the certificate an application is signed with, it is now a different application because it comes from a different author. This different application can’t be uploaded to Market as an update to the original application, nor can it be installed onto a device as an update.