App Signing by the Google Play Store is on the face of it an incredibly brilliant idea. I absolutely love it. However I found it impossibly difficult to follow Google’s rather short documentation on how to get setup, especially for existing app users. So I thought I’d write this little helper to try and spell it out to anyone who tries to follow the same process I have.
App signing is the process of creating a keystore with which you sign your Android app and verify it is in fact you who is releasing an update to your Android app. A keystore remember is basically just a special store for a private and a public key.
If you lose the original master keystore you signed your app with, bad news. You need to create a new app and a new Google Play Store listing. Not fun.
The concept of App Signing for Google Play Store is basically that you surrender the master keystore that you used to sign your initial app to Google (let’s call this the release key). Google then securely stores and manages your release key. You then create a brand new keystore called an upload key. You do this as if you were creating a brand new app, through Android Studio or if you’re a keyboard warrior, using java keytool. You then tell Google about this upload key and you’re done. All future releases can be signed with your upload key and Google will re-sign with the original, now super secret and secure release key. The benefit of this is Google keeps everything secure, and if you lose or compromise your upload key, Google will let you discard it and create a new one. Your users are none the wiser and everyone is happy all of the time.
The process for implementing all this is a little more complicated, first you need to head the play store and goto “App signing” under “Release management”.
Now we need to get all our keystores, private keys, certificates and koala bears in some sort of order. I’m doing this in Android Studio 3.5, older versions may need an upgrade.
First step we need to extract the private key from your original master release key.
Now we need to generate a brand new upload key to use to sign our future apps.
Now we need to get a public key from our new upload key, this will be how we tell Google about our new upload key.
Now go back to the Google Play Store and click “Upload a key exported from Android Studio” now you can add your private key and your public certificate. This gives Google the details of the release key and the upload key and you should be all set.
Click finish and you should now be signed up to App Signing. Well done, keep a close eye on that upload key and it’s passwords.
App signing is the process of creating a keystore with which you sign your Android app and verify it is in fact you who is releasing an update to your Android app. A keystore remember is basically just a special store for a private and a public key.
If you lose the original master keystore you signed your app with, bad news. You need to create a new app and a new Google Play Store listing. Not fun.
The concept of App Signing for Google Play Store is basically that you surrender the master keystore that you used to sign your initial app to Google (let’s call this the release key). Google then securely stores and manages your release key. You then create a brand new keystore called an upload key. You do this as if you were creating a brand new app, through Android Studio or if you’re a keyboard warrior, using java keytool. You then tell Google about this upload key and you’re done. All future releases can be signed with your upload key and Google will re-sign with the original, now super secret and secure release key. The benefit of this is Google keeps everything secure, and if you lose or compromise your upload key, Google will let you discard it and create a new one. Your users are none the wiser and everyone is happy all of the time.
The process for implementing all this is a little more complicated, first you need to head the play store and goto “App signing” under “Release management”.
Now we need to get all our keystores, private keys, certificates and koala bears in some sort of order. I’m doing this in Android Studio 3.5, older versions may need an upgrade.
First step we need to extract the private key from your original master release key.
Step 1 - Get an App Signing Private Key
Open your app in Android Studio and ensure it builds- Goto Build -> Generate Signed Bundle / APK (Don’t worry you don’t need to actually release this build)
- Even if you’re not wanting to use App Bundle, select Android App Bundle and click next.
- Enter the details for your master, original release key, including store password, alias and key password
- IMPORTANT -> check “Export encrypted key for enrolling published apps in Google Play App Signing”
- Finish off the process and make a build. You should now have a pepk file which is the private key for your original master release key.
Now we need to generate a brand new upload key to use to sign our future apps.
Step 2 - Create an upload key
- Again goto Build -> Generate Signed Bundle / APK (Again not actually going to release an app)
- Select APK or App Bundle, whichever you would normally do.
- Click “Create new…”, we’re going to create a new keystore.
- Fill in all the details and make the build.
- You should now have a brand new keystore with brand new passwords and an alias. KEEP THIS CAREFULLY.
- This keystore will be used forevermore as your main key to release your apps.
Now we need to get a public key from our new upload key, this will be how we tell Google about our new upload key.
Step 3 - Generate a Public Certificate
- Use keytool and run a command like this
keytool -export -rfc -keystore upload-keystore.jks -alias upload -file upload_certificate.pem - Use your NEW UPLOAD KEY for “upload-keystore.jks” and your new alias
- Keytool is usually somewhere in jdk/bin
- After running this command you should have a .pem file.
Now go back to the Google Play Store and click “Upload a key exported from Android Studio” now you can add your private key and your public certificate. This gives Google the details of the release key and the upload key and you should be all set.
Click finish and you should now be signed up to App Signing. Well done, keep a close eye on that upload key and it’s passwords.
