Support Sign in Sign Up Today Upload Your Files|

Android requires that all APKs be digitally signed with a document before they are installed on a device or updated. When releasing using Android App Bundles, you demand to sign your app bundle with an upload central earlier uploading information technology to the Play Console, and Play App Signing takes care of the rest. For apps distributing using APKs on the Play Shop (created before August 2021) or on other stores, you lot must manually sign your APKs for upload.

This folio guides you through some of import concepts related to app signing and security, how to sign your app for release to Google Play using Android Studio, and how to configure Play App Signing.

The following is a high-level overview of the steps you lot might need to accept to sign and publish a new app to Google Play:

1. Generate an upload key and keystore
2. Sign your app with your upload key
3. Configure Play App Signing
4. Upload your app to Google Play
5. Prepare & whorl out release of your app

If instead your app is already published to the Google Play Store with an existing app signing key, or you would like to choose the app signing fundamental for a new app instead of having Google generate information technology, follow these steps:

1. Sign your app with your app's signing cardinal and select the option to encrypt and export its signing key.
2. Upload your app'south signing key to Play App Signing.
3. (Recommended) Generate and register an upload document for future updates to your app
4. Upload your app to Google Play
5. Fix & roll out release of your app

This page besides explores how to manage your own keys for when uploading your app to other app stores. If you do non apply Android Studio or would rather sign your app from the command line, learn most how to utilize apksigner.

Play App Signing

With Play App Signing, Google manages and protects your app'southward signing key for you and uses it to sign your APKs for distribution. And, considering app bundles defer building and signing APKs to the Google Play Store, you demand to configure Play App Signing earlier you lot upload your app bundle. Doing so lets y'all benefit from the following:

• Use the Android App Bundle and support Google Play's advanced delivery modes. The Android App Bundle makes your app much smaller, your releases simpler, and makes information technology possible to use feature modules and offering instant experiences.
• Increase the security of your signing key, and make it possible to utilise a separate upload key to sign the app bundle you upload to Google Play.

• I time cardinal upgrade for new installs lets yous alter your app signing primal in case your existing i is compromised or if you need to migrate to a cryptographically stronger primal

Play App Signing uses ii keys: the app signing cardinal and the upload cardinal, which are described in farther detail in the section nigh Keys and keystores. You lot go on the upload cardinal and utilise information technology to sign your app for upload to the Google Play Shop. Google uses the upload certificate to verify your identity, and signs your APK(s) with your app signing key for distribution as shown in figure 1. By using a split upload central you can request an upload cardinal reset if your key is e'er lost or compromised.

By comparing, for apps created before August 2021 that have not opted in to Play App Signing, if you lot lose your app's signing cardinal, you lose the ability to update your app.

Figure 1. Signing an app with Play App Signing

Your keys are stored on the aforementioned infrastructure that Google uses to shop its own keys, where they are protected by Google'due south Fundamental Management Service. Yous tin can learn more about Google'southward technical infrastructure by reading the Google Deject Security Whitepapers.

When you utilize Play App Signing, if you lose your upload central, or if it is compromised, you tin contact Google to revoke your onetime upload key and generate a new one. Because your app signing cardinal is secured by Google, yous can go on to upload new versions of your app as updates to the original app, even if you change upload keys. To learn more, read Reset a lost or compromised private upload key.

The next section describes some important terms and concepts related to app signing and security. If you'd rather skip ahead and learn how to prepare your app for upload to the Google Play Store, become to Sign your app for release.

Keystores, keys, and certificates

Java Keystores (.jks or .keystore) are binary files that serve equally repositories of certificates and private keys.

A public key certificate (.der or .pem files), also known equally a digital certificate or an identity certificate, contains the public cardinal of a public/private key pair, every bit well every bit some other metadata identifying the possessor (for example, proper name and location) who holds the corresponding private cardinal.

The following are the different types of keys you should empathize:

• App signing key: The key that is used to sign APKs that are installed on a user'due south device. As office of Android's secure update model, the signing key never changes during the lifetime of your app. The app signing key is private and must be kept cloak-and-dagger. You can, however, share the certificate that is generated using your app signing fundamental.

• Upload cardinal: The key you use to sign the app bundle or APK before you upload it for app signing with Google Play. You lot must keep the upload key hugger-mugger. However, y'all can share the document that is generated using your upload key. Y'all may generate an upload key in one of the post-obit ways:

  • If you lot choose for Google to generate the app signing key for you when you lot opt in, then the key you use to sign your app for release is designated equally your upload cardinal.
  • If you provide the app signing central to Google when opting in your new or existing app, then you have the option to generate a new upload central during or after opting in for increased security.
  • If you practice not generate a new upload key, you continue to use your app signing key as your upload key to sign each release.

  Tip: To go on your keys secure, it's a good idea to make sure your app signing key and upload primal are different.

Working with API providers

You tin can download the document for the app signing key and your upload fundamental from the Release > Setup > App Integrity page in the Play Panel. This is used to annals public key(s) with API providers; it'south intended to be shared, as information technology does not contain your individual key.

A certificate fingerprint is a short and unique representation of a certificate that is ofttimes requested past API providers alongside the package name to register an app to use their service. The MD5, SHA-1 and SHA-256 fingerprints of the upload and app signing certificates can be found on the app signing folio of the Play Console. Other fingerprints can too be computed by downloading the original certificate (.der) from the same page.

Sign your debug build

When running or debugging your project from the IDE, Android Studio automatically signs your app with a debug certificate generated by the Android SDK tools. The first fourth dimension yous run or debug your project in Android Studio, the IDE automatically creates the debug keystore and document in $HOME/.android/debug.keystore, and sets the keystore and key passwords.

Considering the debug certificate is created by the build tools and is insecure past blueprint, most app stores (including the Google Play Store) do non accept apps signed with a debug document for publishing.

Android Studio automatically stores your debug signing information in a signing configuration so you do not accept to enter information technology every fourth dimension you debug. A signing configuration is an object consisting of all of the necessary data to sign your app, including the keystore location, keystore countersign, central name, and fundamental password.

For more information about how to build and run apps for debugging, see Build and Run Your App.

Expiry of the debug certificate

The self-signed certificate used to sign your app for debugging has an expiration appointment of 30 years from its cosmos date. When the certificate expires, y'all get a build fault.

To prepare this trouble, merely delete the debug.keystore file stored in i of the following locations:

• ~/.android/ on Os Ten and Linux
• C:\Documents and Settings\user\.android\ on Windows XP
• C:\Users\user\.android\ on Windows Vista and Windows 7, eight, and x

The next time you build and run a debug version of your app, Android Studio regenerates a new keystore and debug primal.

Sign your app for release to Google Play

When y'all are set up to publish your app, yous need to sign your app and upload it to an app store, such equally Google Play. When publishing your app to Google Play for the first fourth dimension, you must also configure Play App Signing. Play App Signing is optional for apps created earlier August 2021. This section shows you how to properly sign your app for release and configure Play App Signing.

Generate an upload key and keystore

If y'all don't already have an upload key, which is useful when configuring Play App Signing, y'all tin generate one using Android Studio as follows:

1. In the bill of fare bar, click Build > Generate Signed Bundle/APK.
2. In the Generate Signed Bundle or APK dialog, select Android App Packet or APK and click Next.
3. Below the field for Fundamental store path, click Create new.

4. On the New Central Store window, provide the following information for your keystore and key, as shown in effigy two.

   

   Figure 2. Create a new upload key and keystore in Android Studio.

5. Keystore

   • Key store path: Select the location where your keystore should exist created. Also, a file name should be added to the end of the location path with the .jks extension.
   • Countersign: Create and ostend a secure password for your keystore.

6. Key

   • Alias: Enter an identifying name for your key.
   • Countersign: Create and ostend a secure password for your primal. This should be the same every bit your keystore password. (Please refer to the known issue for more information)
   • Validity (years): Set the length of time in years that your key will exist valid. Your key should be valid for at to the lowest degree 25 years, so y'all can sign app updates with the same key through the lifespan of your app.
   • Certificate: Enter some data well-nigh yourself for your certificate. This information is not displayed in your app, but is included in your certificate equally office of the APK.

7. One time you complete the grade, click OK.

8. If y'all would like to build and sign your app with your upload primal, continue to the section about how to Sign your app with your upload primal. If you simply want to generate the primal and keystore, click Cancel.

Sign your app with your primal

If you already have an upload central, employ information technology to sign your app. If instead your app is already signed and published to the Google Play shop with an existing app signing cardinal, use it to sign your app and make sure to encrypt and export it to opt your app in to Play App Signing. Yous tin can subsequently generate a divide upload key and register your upload key's public certificate with Google Play to sign and upload subsequent updates to your app.

To sign your app using Android Studio, and consign an existing app signing fundamental, follow these steps:

1. If you don't currently take the Generate Signed Package or APK dialog open, click Build > Generate Signed Parcel/APK.
2. In the Generate Signed Package or APK dialog, select either Android App Bundle or APK and click Next.
3. Select a module from the drib downward.

4. Specify the path to your keystore, the alias for your key, and enter the passwords for both. If yous haven't yet prepared your upload keystore and key, start Generate an upload key and keystore and and so return to complete this step.

   

   Figure 3. Sign your app with your upload cardinal.

5. If you're signing an app parcel with an existing app signing key, and you'd like to afterwards opt your app in to Play App Signing, check the box next to Export encrypted central and specify a path to save your signing key as an encrypted *.pepk file. You can then use your encrypted app signing key to opt in an existing app into Play App Signing.

6. Click Next.

7. In the next window (shown in figure 4), select a destination folder for your signed app, select the build blazon, choose the product season(due south) if applicable.

8. If you are building and signing an APK, you lot need to select which Signature Versions y'all desire your app to support. To acquire more, read virtually app signing schemes

9. Click Stop.

   

   Figure 4. Generate a signed version of your app for the selected product flavors.

Figure 5. Click the link in the popup to clarify or locate your app bundle, or locate your exported signing fundamental.

Later Android Studio finishes building your signed app, you lot can either locate or analyze your app past clicking on the appropriate option in the pop-up notification. If you lot selected the selection to export your signing central, you tin can quickly navigate to it by clicking the dropdown arrow in the bottom correct corner of the popup to aggrandize it and clicking Bear witness Exported Key File, as shown in figure 5.

Now you're gear up to opt your app in to Play App Signing and upload your app for release. If you lot're new to the app publishing process, you may want to read the Launch overview. Otherwise, keep to the page about how to Upload your app to the Play Console.

Using Play App Signing

Every bit described earlier in this page, configuring Play App Signing is required to sign your app for distribution through Google Play (except for apps created before August 2021, which may continue distributing self-signed APKs). The steps you demand to take depend on whether your app has not nevertheless been published to Google Play, or your app is already signed and was published before August 2021 using an existing app signing key.

Configure a new app

To configure signing for an app that has non yet been published to Google Play, proceed as follows:

1. If you haven't already done so, generate an upload key and sign your app with that upload fundamental.
2. Sign in to your Play Console.
3. Follow the steps to fix & roll out your release to create a new release.
4. After you choose a release track, configure app signing under the App Integrity section every bit follows:
   • To have Google Play generate an app signing primal for yous and use information technology to sign your app, you don't have to do anything. The key you utilise to sign your first release becomes your upload cardinal, and yous should use it to sign future releases.
   • To use the aforementioned central as some other app on your developer account, select Alter app signing key > Use my own central > Utilise the aforementioned central equally another app in this business relationship, select an app, and so click Continue.
   • To provide your own signing key for Google to use when signing your app, select Change app signing key > Use my own key and select 1 of the options that lets you deeply upload a individual key and its public certificate.

In the section called App Bundles, click Browse files to locate and upload the app you signed using your upload key. For more than data about releasing your app, refer to ready & roll out your release. When you lot release your app later configuring Play App Signing, Google Play generates (unless you lot upload an existing primal) and manages your app'south signing key for you lot. Simply sign subsequent updates to your app using your app's upload key before uploading information technology to Google Play.

If you demand to create a new upload key for you app, get to the department about how to Reset a lost or compromised private upload key.

Opt in an existing app

If you're updating an app that's already published to Google Play using an existing app signing key, you tin opt in to Play App Signing equally follows:

1. If you haven't already done and so, sign your app using Android Studio with your existing app signing key and make certain to check the box next to Export encrypted key to relieve your signing fundamental as an encrypted *.pepk file. Y'all'll need this file in a later footstep. This tin can also be done using the PEPK tool, which y'all tin download from the Play Console.
2. Sign in to your Play Console and navigate to your app.
3. On the left menu, click Release > Setup > App integrity.
4. If applicable, review the Terms of Service and select Accept.
5. Select one of the options that best describes the signing key you lot want to upload to Google Play and follow the instructions that are shown. For example, if you used Android Studio to consign your app's signing key, equally described on this folio, select Upload a fundamental exported from Android Studio and upload the *.pepk file for your central.
6. Click Enroll.

You should now see a folio with the details of your app's signing and upload certificates. Google Play now signs your app with your existing key when deploying information technology to users. Withal, i of the nigh important benefits to Play App Signing is the ability to dissever the key you employ to sign the artifact you lot upload to Google Play from the key that Google Play uses to sign your app for distribution to users. So, consider following the steps in the side by side section to generate and register a separate upload key.

Generate and register an upload certificate

When you're publishing an app that is not signed by an upload key, the Google Play Console provides the selection to register one for future updates to the app. Although this is an optional step, it's recommended that you publish your app with a key that'due south dissever from the one Google Play uses to distribute your app to users. That fashion, Google keeps your signing key secure, and you accept the option to reset a lost or compromised private upload primal. This section describes how to create an upload key, generate an upload document from it, and register that document with Google Play for future updates of your app.

The post-obit describes the situations in which yous see the pick to register an upload certificate in the Play Console:

• When you publish a new app that's signed with a signing key and opt it in to Play App Signing.
• When you are about to publish an existing app that'south already opted in to Play App Signing, simply it is signed using its signing key.

If you are not publishing an update to an existing app that's already opted in to Play App Signing, and yous'd like to annals an upload certificate, complete the steps beneath and go along on to the section about how to reset a lost or compromised private upload primal.

If you haven't already washed so, generate an upload key and keystore.

After you create your upload key and keystore, you need to generate a public certificate from your upload cardinal using keytool, with the following command:

$ keytool -export -rfc   -keystore          your-upload-keystore.jks          -alias          upload-alias          -file          output_upload_certificate.pem        

Now that you have your upload certificate, register information technology with Google when prompted in the Play Console or read the department below to register it though the Google Play back up team.

Upgrade your app signing key

In some circumstances, you might desire to change your app's signing key. For case, because you want a cryptographically stronger key or your signing key has been compromised. Even so, because users tin only update your app if the update is signed with the same signing key, it'south hard to modify the signing cardinal for an app that's already published.

If you publish your app to Google Play, you can upgrade the signing key for your published app through the Play Console—your new key is used to sign new installs and app updates, while your older app signing primal is used to sign updates for users who installed your app earlier the cardinal upgrade.

To learn more, read Upgrade your app signing key for new installs.

Reset a lost or compromised private upload cardinal

If you lost your private upload fundamental or your private key has been compromised, you can create a new one and contact the Google Play support team to reset the fundamental.

Configure the build process to automatically sign your app

In Android Studio, you tin configure your project to sign the release version of your app automatically during the build procedure by creating a signing configuration and assigning it to your release build type. A signing configuration consists of a keystore location, keystore password, key alias, and key password. To create a signing configuration and assign it to your release build type using Android Studio, complete the following steps:

1. In the Projection window, correct click on your app and click Open Module Settings.
2. On the Project Structure window, under Modules in the left panel, click the module y'all would like to sign.
3. Click the Signing tab, then click Add .

4. Select your keystore file, enter a proper noun for this signing configuration (every bit you may create more ane), and enter the required data.

   

   Effigy vii. The window for creating a new signing configuration.

5. Click the Build Types tab.
6. Click the release build.

7. Under Signing Config, select the signing configuration you lot merely created.

   

   Figure eight. Select a signing configuration in Android Studio.

8. Click OK.

Now every fourth dimension you build your release build type by selecting an option nether Build > Build Bundle(s) / APK(s) in Android Studio, the IDE will sign your app automatically, using the signing configuration you specified. You can find your signed APK or app bundle in the build/outputs/ directory within the project directory for the module you are building.

When yous create a signing configuration, your signing information is included in apparently text in your Gradle build files. If you are working in a team or sharing your code publicly, you lot should keep your signing data secure by removing it from the build files and storing it separately. You lot tin read more than nigh how to remove your signing information from your build files in Remove Signing Information from Your Build Files. For more than well-nigh keeping your signing data secure, read Secure your key.

Sign each product flavor differently

If your app uses production flavors and y'all would like to sign each flavor differently, you can create additional signing configurations and assign them by flavour:

1. In the Project window, right click on your app and click Open Module Settings.
2. On the Projection Construction window, under Modules in the left panel, click the module y'all would similar to sign.
3. Click the Signing tab, then click Add together .

4. Select your keystore file, enter a proper noun for this signing configuration (every bit yous may create more than than i), and enter the required data.

   

   Figure 10. The window for creating a new signing configuration.

5. Repeat steps 3 and 4 as necessary until yous take created all your signing configurations.
6. Click the Flavors tab.
7. Click the flavour you would like to configure, then select the appropriate signing configuration from the Signing Config dropdown menu.

   Effigy eleven. Configure signing settings by product season.

   Echo to configure any boosted product flavors.

8. Click OK.

Yous can as well specify your signing settings in Gradle configuration files. For more information, see Configuring Signing Settings.

Manage your own signing key

If you choose not to opt in to Play App Signing (just for apps created before August 2021), y'all can manage your ain app signing central and keystore. Keep in mind, you are responsible for securing the key and the keystore. Additionally, your app will non be able to back up Android App Bundles, Play Feature Delivery and Play Asset Commitment.

When you are ready to create your ain key and keystore, make sure you first choose a strong password for your keystore and a separate strong countersign for each private key stored in the keystore. You must go on your keystore in a safe and secure place. If y'all lose access to your app signing primal or your key is compromised, Google cannot retrieve the app signing fundamental for you, and you will non be able to release new versions of your app to users as updates to the original app. For more data, meet Secure your primal, below.

If yous manage your ain app signing key and keystore, when you sign your APK, y'all will sign it locally using your app signing key and upload the signed APK straight to the Google Play Store for distribution equally shown in figure x.

Figure 12. Signing an app when yous manage your own app signing key

When you use Play App Signing, Google keeps your signing key safe, and ensures your apps are correctly signed and able to receive updates throughout their lifespans. Yet, if you decide to manage your app signing cardinal yourself, there are a few considerations yous should keep in heed.

Signing considerations

You should sign your app with the same certificate throughout its expected lifespan. There are several reasons why you should do then:

• App upgrade: When the organisation is installing an update to an app, it compares the certificate(due south) in the new version with those in the existing version. The system allows the update if the certificates lucifer. If you sign the new version with a different certificate, y'all must assign a different package name to the app—in this case, the user installs the new version as a completely new app.
• App modularity: Android allows APKs signed past the same certificate to run in the same procedure, if the apps then asking, so that the organisation treats them every bit a single app. In this way yous tin deploy your app in modules, and users can update each of the modules independently.
• Code/data sharing through permissions: Android provides signature-based permissions enforcement, so that an app can betrayal functionality to another app that is signed with a specified certificate. By signing multiple APKs with the same document and using signature-based permissions checks, your apps can share lawmaking and data in a secure mode.

If you plan to support upgrades for an app, ensure that your app signing central has a validity period that exceeds the expected lifespan of that app. A validity period of 25 years or more is recommended. When your key's validity period expires, users volition no longer be able to seamlessly upgrade to new versions of your app.

If you lot programme to publish your apps on Google Play, the key you use to sign your app must accept a validity period ending subsequently 22 Oct 2033. Google Play enforces this requirement to ensure that users can seamlessly upgrade apps when new versions are available.

Go on your fundamental secure

If y'all cull to manage and secure your app signing key and keystore yourself (instead of opting in to Play App Signing), securing your app signing cardinal is of critical importance, both to you and to the user. If you lot let someone to use your fundamental, or if y'all exit your keystore and passwords in an unsecured location such that a 3rd-party could find and employ them, your authoring identity and the trust of the user are compromised.

If a third party should manage to take your app signing key without your knowledge or permission, that person could sign and distribute apps that maliciously replace your authentic apps or decadent them. Such a person could also sign and distribute apps under your identity that attack other apps or the system itself, or corrupt or steal user information.

Your individual key is required for signing all future versions of your app. If you lot lose or misplace your primal, yous will not exist able to publish updates to your existing app. Yous cannot regenerate a previously generated key.

Your reputation as a developer entity depends on your securing your app signing cardinal properly, at all times, until the key is expired. Here are some tips for keeping your key secure:

• Select potent passwords for the keystore and key.
• Practice not give or lend anyone your private key, and do non let unauthorized persons know your keystore and primal passwords.
• Go along the keystore file containing your private central in a safe, secure place.

In general, if you follow common-sense precautions when generating, using, and storing your fundamental, it will remain secure.

Remove signing information from your build files

When you create a signing configuration, Android Studio adds your signing information in plain text to the module'due south build.gradle files. If you are working with a team or open-sourcing your lawmaking, you should move this sensitive information out of the build files then it is not hands accessible to others. To do this, yous should create a carve up properties file to store secure data and refer to that file in your build files as follows:

1. Create a signing configuration, and assign it to one or more build types. These instructions assume you have configured a single signing configuration for your release build type, as described in Configure the build process to automatically sign your app, above.
2. Create a file named keystore.properties in the root directory of your projection. This file should contain your signing data, as follows:

   storePassword=myStorePassword keyPassword=mykeyPassword keyAlias=myKeyAlias storeFile=myStoreFileLocation            

3. In your module's build.gradle file, add code to load your keystore.properties file before the android {} cake.

   Cracking

   ...  // Create a variable called keystorePropertiesFile, and initialize information technology to your // keystore.properties file, in the rootProject folder. def keystorePropertiesFile = rootProject.file("keystore.properties")  // Initialize a new Properties() object chosen keystoreProperties. def keystoreProperties = new Properties()  // Load your keystore.properties file into the keystoreProperties object. keystoreProperties.load(new FileInputStream(keystorePropertiesFile))  android {     ... }                

   Kotlin

   ... import java.util.Backdrop import coffee.io.FileInputStream  // Create a variable called keystorePropertiesFile, and initialize information technology to your // keystore.properties file, in the rootProject folder. val keystorePropertiesFile = rootProject.file("keystore.backdrop")  // Initialize a new Properties() object called keystoreProperties. val keystoreProperties = Properties()  // Load your keystore.properties file into the keystoreProperties object. keystoreProperties.load(FileInputStream(keystorePropertiesFile))  android {     ... }                

   Notation: You could cull to store your keystore.properties file in some other location (for instance, in the module folder rather than the root folder for the project, or on your build server if yous are using a continuous integration tool). In that case, you should modify the code above to correctly initialize keystorePropertiesFile using your actual keystore.properties file's location.

4. Yous can refer to backdrop stored in keystoreProperties using the syntax keystoreProperties['propertyName']. Modify the signingConfigs block of your module'due south build.gradle file to reference the signing information stored in keystoreProperties using this syntax.

   Groovy

   android {     signingConfigs {         config {             keyAlias keystoreProperties['keyAlias']             keyPassword keystoreProperties['keyPassword']             storeFile file(keystoreProperties['storeFile'])             storePassword keystoreProperties['storePassword']         }     }     ...   }

   Kotlin

   android {     signingConfigs {         getByName("config") {             keyAlias = keystoreProperties["keyAlias"]             keyPassword = keystoreProperties["keyPassword"]             storeFile = file(keystoreProperties["storeFile"])             storePassword = keystoreProperties["storePassword"]         }     }     ...   }

5. Open up the Build Variants tool window and ensure that the release build blazon is selected.
6. Select an option nether Build > Build Packet(s) / APK(s) to build either an APK or app parcel of your release build. You should encounter the build output in the build/outputs/ directory for your module.

Because your build files no longer contain sensitive information, you can now include them in source control or upload them to a shared codebase. Be sure to keep the keystore.properties file secure. This may include removing it from your source control arrangement.

orozcoliew1990.blogspot.com

Source: https://developer.android.com/studio/publish/app-signing