I have apps uploaded to Play Store. I am going to change my operating environment from Windows to Linux. So I will need the same keystore to update my app.
How can I use the same key store in Linux?
Why is this key store required?
You have to copy your keystore from platform to platform. It's highly recommanded as the doc say :
Warning: Keep your keystore and private key in a safe and secure place, and ensure that you have secure backups of them. If you publish an app to Google Play and then lose the key with which you signed your app, you will not be able to publish any updates to your app, since you must always sign all versions of your app with the same key.
(source)
of course you can use it via the command line interface, you need to install the Android tools like Windows, it is required in order to authenticate your binary file on the Store, every binary, when deployed, needs an author.
Why is this key store required?
The key store is a way to identify you as the developer of a given package (i.e. android app). It prevent someone else to upload a totally different app to the play store and pretending it is an upgrade for your app.
Related
I'm writing a python script to build and sign my android project using gradlew ,
Everyone on the web is talking about how u can lose your generated key and therefor u can lose ability to update your published application. my question is are every generated keys using keytool unique?
and the signed apk using that key would easily be uploaded to google play store and every single app signed using that certain key will be considered as an update ?
thanks .
Yes, every key generated by keytool is unique.
For key management, you basically have a few options:
Generate the app signing key locally, keep it secure, and only use it when generating the release version of your app. Use a separate key for the debug versions of your app.
Generate the app signing key locally, enroll in App Signing by Play supplying your key to Google. During the enrollment, you will be prompted to created another key (called the upload key). You can use the upload key normally to sign the apps you upload to the Play Console, but make sure to keep the app signing in a safe place with strict ACLs. If you lose the upload key, you can always have it reset, so less critical.
The easiest solution (and the default in Play Console) is to enroll in App Signing by Play and let Google generate the app signing key. You are this way sure that you won't be accidentally losing or leaking it, and that it will be secure enough. Also, you'll only have one key to deal with: the upload key, which can be reset if you lose it.
I'd recommend the 3rd option (simplest, most secure), but some people prefer to keep a copy of the key with them and thus opt for the 2nd option. The 1st option is very risky as you seem to have already heard.
Please correct me!!
I read in this article:
https://support.google.com/googleplay/android-developer/answer/7384423
App signing key (1) - managed by Google, is Inaccessible
Upload key (2) - is managed by us
(1) can be different with (2)
How can we obtain the (1) for signing in local?
I need to test update from current version (the latest one on PlayStore which is signed with 1) to the new version N+1.
But since I can not have (1), how can I sign my app for local testing?
Thank you.
Thank Michael for your answer:
When you opt in to have your app signed by Google you can choose to provide an existing key rather than having a new one generated by Google: "To provide your own signing key for Google to use when signing your app, select Advanced options and select one of the options that lets you securely upload a private key and its public certificate". If you've already let Google generate a key for you then I'm not sure if you can redo it (especially if APKs signed with that key have gone out into production).But you could create an Internal Test group for your team and publish new versions there first
You should test with a different key locally. The app signing key is sensitive since it can't easily be changed, so it's good practice to use a separate key for local testing.
If you use APIs that require the certificate to be whitelisted, you can whitelist this test certificate as well.
Starting with Android I have seen that it is necessary to sign the apk. But thinking about what a digital signature is and for what it serves (guaranteeing authenticity and integrity of information) I've read that Android really does not make you sign the app to verify authenticity and integration, but because "Android uses that signature to identify the app that is making any type of request either to the system or to other applications".
Is that so?
I read that it is recommended that a developer sign their apps with the same signature The concept of digital signature is unique for each document, so how is it possible that different apps of a developer have the same signature?
I think I read that by signing the apk, me and nobody else can modify this app. Is that so? How is this?
Thank you
Both are correct. Signatures are indeed used to detect that the app you're installing has not been modified, but they can also be used to restrict access from other apps on your device. Say a company builds 2 apps, and they want to share data between them. They can use a signature-protected permission to ensure that your data can only be accessed by that company's apps.
It's not the signature that's the same, but the private key used to generate that signature. The signature is unique for every build of your app, as you would expect. See https://developer.android.com/studio/publish/app-signing.html for more info.
It's not that you cannot modify the app; it's that Android will not allow you to upgrade an app from version A to version B if the signatures of A and B were generated from different keys. If someone tampers with the app, the signature will be invalidated so they have to resign it with their own key. You should never give your key to untrusted people, since that would allow them to modify and resign your apps without changing the key.
Of course, signatures don't protect you from malicious modified APKs unless you already have an authentic version of the app installed that Android can compare the new version with. This is why you should refrain from installing APK files from unknown sources.
I have been transfered an app and I am releasing an update using react-native, what do I need to be able to get the same signing key?
The original user told me the alias and password? Is this enough or do i need the actual signing file, if I am supposed to create the file do I need to answer all the questions in the same way to get the same signing key?
Thanks for any help
You need the actual .keystore file itself (with password and alias) as you will not be able to re-generate it, even using the same values for each of the parameters with the keygen tool. Without it you won't be able to publish any updates to the Play Store. This applies regardless of using React Native or otherwise as has been discussed on this question.
From the React Native Docs:
Once you publish the app on the Play Store, you will need to republish
your app under a different package name (losing all downloads and
ratings) if you want to change the signing key at any point. So backup
your keystore and don't forget the passwords.
I would like to update my app using the same package name but different signing certificate (consultants made first version and I don't have their certificate info). If I unpublish and then upload the new apk, will existing users be able to do an easy update or will users have to uninstall and download a new app?
This is not possible. The keystore contains a certificate which is used to digitally sign your apk. Each certificate is completely unique, and cannot be regenerated or recovered from older apks.
Google relies on this because it is extremely secure, and allows them to really reduce the chances that someone can hack your developer account details and upload a malicious apk as an update to your existing app.
For now, you'll have to reupload the app under a different package name with a different key, and somehow inform users that you have changed the app details.
When you unpublish the app, new users will no longer be able to see it, but older users will still have it installed and will be able to see it in Google Play.
They will have to download a new app.
Only if your have the original certificate it is possible to let user's update the existing app.
See: Publishing Updates on Android Market
Before uploading the updated application, be sure that you have
incremented the android:versionCode and android:versionName attributes
in the element of the manifest file. Also, the package name must be
the same and the .apk must be signed with the same private key. If the
package name and signing certificate do not match those of the
existing version, Market will consider it a new application and will
not offer it to users as an update.
also see this post:
Fraid not. The play store requires that an updated app to have the same package name and the same certificate.
If you need to create a new certificate you would have to publish it as a new with a different package name and upload this version to the market.
You would then have to tell existing users that in order to get the update they should download the new version from the play store and remove the existing app from the device.