Google Play App Signing: Build and Self Distribute Production APK (Upload App Signing Key)

June 2, 2020

Why use Google Play App Signing

  • To use Android App Bundle, which reduce app download size and also dynamic delivery of features (only download the component when necessary, thus reduce app size as well)

  • Increase the security of your signing key, and make it possible to use a separate upload key to sign the app bundle you upload to Google Play.

Note: Opting in to app signing by Google Play applies for the lifetime of your app. In order to ensure security, after you opt in you cannot retrieve a copy of your app’s signing key and you can’t delete it from Google’s servers without deleting your app.

Opt-in Google Play App Signing

If you create a new application (via Google Play Console -> Create Application), then create a release via App releases -> Internal test / Alpha / Beta / Production -> Manage -> Create Release, you shall be prompted with the following.

Let Google manage and protect your app signing key (recommended)

Google Play will create and manage the app signing key for your app. Google Play signs each release with this key so that Android devices can trust that the release is really from you. Learn more

This step is a requirement for using the recommended app publishing format, the Android App Bundle, and benefiting from Google Play’s Dynamic Delivery. If you’re about to publish an APK, you can still select ‘Continue’ now and start using the Android App Bundle later. Learn more

Understand the benefits


(Advanced options) Provide the app signing key that Google Play uses for this app

Reusing signing keys can pose a security risk and is not recommended. However, it may be necessary to reuse an app signing key if:

You sign more than one app with the same key so that they can run in the same process.

You sign more than one app with the same key so that they can share code/data.

Your app comes pre-installed on some devices and is signed with a specific key already.

- Let Google create and manage my app signing key (recommended)

- Use the same key as another app in this account

- Export and upload a key and certificate from a Java keystore

- Export and upload a key and certificate (not using a Java keystore)

CONTINUE / OPT OUT

If you click CONTINUE, the following will happened

  • Google will generate and store the App Singing Key (like the .jks file to Generate Signed Bundle / APK in Android Studio)

  • The .jks file on your local machine is no longer the final production signing key, but rather an upload key to generate the .apk/.aab to be uploaded to Google Play, where Google (using the App Singing Key) will generate the finalized APK or App Bundle for production distribution. Thus the production SHA-1 (you can access this at Google Play Console -> Release management -> App signing -> App signing certificate) is different from your local machine .jks SHA-1.

  • You cannot download the App Singing Key generated and stored by Google, thus it will be impossible for you to generate an APK with the same cerificate/signature as Google Play App Singing Key.

NOTE: If you click CONTINUE (Opt in), there is no turning back (this process is not reversible)

Generate APK using the Google Play App Singing Key

If you want to get an APK with the Google Play App Singing Key signature, you can generate APK using your local machine upload key (.jks) and upload the APK to Google Play Console to create a release, then download the APK via Google Play Console -> Release management -> Artifact library.

If you upload an App Bundle (.aab), you can’t get universal APK (thought you can access platform/device specific APK at Artifact library -> (Select Version) Explore -> Expand "Download device-specific APKs"). Though bundletool can generate universal APK from .aab, but you don’t have access to the Google Play App Singing Key.

If you really need the universal APK to do your own distribution, you can upload an APK (instead of App Bundle) to a test track and download the production apk via Artifact library.

Internal Distribution / Testing

  • Internal test track (Google Play Console -> Release management -> App releases) is the best way to test the app internally which is signed with Google Play App Singing Key. There is a 100 internal testers per app, and you need to send them an Opt-in URL. Updates is available within 5-10 minutes after deployment, where you can check for updates manually at Play Store -> My apps & Games and see Update button activated. Sometimes you might need to switch to Installed tab instead of Updates tab to see the latest update.

  • If you use Internal app sharing, bear in mind it doesn’t use Google Play App Singing Key, but use the Upload key used to signed the APK/App Bundle.

  • Other options are Alpha and Beta track.

What if you really need a copy of the App Singing Key?

Google doesn’t think this is a good idea from a security standpoint, but if you insist, there is a way.

NOTE: This method only work for new app.

Create a new application (via Google Play Console -> Create Application), then create a release via App releases -> Internal test / Alpha / Beta / Production -> Manage -> Create Release, you shall be prompted with Let Google manage and protect your app signing key (recommended). Click OPT OUT.

NOTE: Under (Advanced options) Provide the app signing key that Google Play uses for this app there is an option to Export and upload a key and certificate from a Java keystore, but I prefer another easier way.

Upload an APK using your local machine .jks keystore/certificate (Android Studio -> Generate Signed Bundle / APK -> APK), then click Review.

Goto App signining and you will see the following options.

Let Google manage and protect your app signing key

Choose one of the options below to opt in now

- Upload a key exported from Android Studio
- Export and upload a key from a Java keystore
- Export and upload a key (not using a Java keystore)

Select Upload a key exported from Android Studio.

  • In Android Studio -> Generate Signed Bundle / APK -> Android App Bundle, check Export encrypted key for enrolling published apps in Google Play App Signing.
  • In Google Play Console, click App Singing Private Key and select private_key.pepk.

At your App signing page, you will notice that App signing certificate and Upload certificate has the same SHA-1. It means App singing key and Upload key is the same, which is using our local machine .jks / keystore / certificate.

NOTE: Google will recommend you to Generate and register an upload certificate, but that beat the purpose of our exercise.

References:

This work is licensed under a
Creative Commons Attribution-NonCommercial 4.0 International License.