Javascript required
Skip to content Skip to sidebar Skip to footer

Your Android App Bundle Uses an Upload Certificate With a Key That Is Too Weak

Android requires that all APKs be digitally signed with a certificate before they are installed on a device or updated. When releasing using Android App Bundles, you need to sign your app parcel with an upload primal earlier uploading it to the Play Console, and Play App Signing takes care of the balance. For apps distributing using APKs on the Play Store (created before August 2021) or on other stores, you must manually sign your APKs for upload.

This page guides yous through some important concepts related to app signing and security, how to sign your app for release to Google Play using Android Studio, and how to configure Play App Signing.

The following is a high-level overview of the steps you lot might need to have to sign and publish a new app to Google Play:

  1. Generate an upload key and keystore
  2. Sign your app with your upload key
  3. Configure Play App Signing
  4. Upload your app to Google Play
  5. Prepare & scroll out release of your app

If instead your app is already published to the Google Play Store with an existing app signing key, or you would like to cull the app signing central for a new app instead of having Google generate information technology, follow these steps:

  1. Sign your app with your app's signing central and select the option to encrypt and export its signing fundamental.
  2. Upload your app's signing key to Play App Signing.
  3. (Recommended) Generate and annals an upload certificate for future updates to your app
  4. Upload your app to Google Play
  5. Prepare & curlicue out release of your app

This page likewise explores how to manage your ain keys for when uploading your app to other app stores. If you lot exercise not use Android Studio or would rather sign your app from the control line, larn about how to use apksigner.

Play App Signing

With Play App Signing, Google manages and protects your app's signing key for you and uses it to sign your APKs for distribution. And, because app bundles defer building and signing APKs to the Google Play Shop, you demand to configure Play App Signing before y'all upload your app parcel. Doing and then lets you benefit from the following:

  • Apply the Android App Parcel and back up Google Play's advanced delivery modes. The Android App Bundle makes your app much smaller, your releases simpler, and makes it possible to use characteristic modules and offer instant experiences.
  • Increase the security of your signing primal, and arrive possible to utilize a dissever upload key to sign the app packet you upload to Google Play.
  • I fourth dimension fundamental upgrade for new installs lets you change your app signing primal in example your existing i is compromised or if yous need to migrate to a cryptographically stronger cardinal

Play App Signing uses two keys: the app signing key and the upload cardinal, which are described in further detail in the department almost Keys and keystores. You lot keep the upload key and use it to sign your app for upload to the Google Play Shop. Google uses the upload certificate to verify your identity, and signs your APK(south) with your app signing central for distribution every bit shown in effigy i. Past using a separate upload cardinal you can request an upload central reset if your fundamental is always lost or compromised.

By comparison, for apps created before August 2021 that have not opted in to Play App Signing, if yous lose your app'south signing central, y'all lose the power to update your app.

Effigy 1. Signing an app with Play App Signing

Your keys are stored on the aforementioned infrastructure that Google uses to shop its own keys, where they are protected past Google'due south Key Management Service. You can larn more about Google's technical infrastructure by reading the Google Cloud Security Whitepapers.

When you employ Play App Signing, if you lose your upload key, or if it is compromised, you can contact Google to revoke your one-time upload key and generate a new one. Considering your app signing primal is secured by Google, you can continue to upload new versions of your app as updates to the original app, even if yous alter upload keys. To larn more than, read Reset a lost or compromised private upload key.

The side by side section describes some important terms and concepts related to app signing and security. If y'all'd rather skip alee and learn how to prepare your app for upload to the Google Play Store, become to Sign your app for release.

Keystores, keys, and certificates

Java Keystores (.jks or .keystore) are binary files that serve every bit repositories of certificates and individual keys.

A public central certificate (.der or .pem files), also known as a digital certificate or an identity certificate, contains the public key of a public/private key pair, as well as another metadata identifying the owner (for instance, name and location) who holds the respective private key.

The following are the different types of keys you should understand:

  • App signing fundamental: The key that is used to sign APKs that are installed on a user'south device. As part of Android'due south secure update model, the signing central never changes during the lifetime of your app. The app signing central is private and must be kept secret. You lot can, yet, share the document that is generated using your app signing key.
  • Upload key: The central you apply to sign the app bundle or APK before you upload it for app signing with Google Play. You lot must go on the upload key hugger-mugger. However, you tin share the certificate that is generated using your upload fundamental. Yous may generate an upload key in i of the following ways:

    • If you lot cull for Google to generate the app signing key for you when you opt in, then the key you use to sign your app for release is designated as your upload key.
    • If you provide the app signing key to Google when opting in your new or existing app, then y'all take the option to generate a new upload cardinal during or afterward opting in for increased security.
    • If y'all do not generate a new upload key, you continue to employ your app signing key equally your upload central to sign each release.

    Tip: To keep your keys secure, it's a skilful idea to make sure your app signing central and upload fundamental are different.

Working with API providers

You tin can download the certificate for the app signing key and your upload key from the Release > Setup > App Integrity page in the Play Console. This is used to register public key(s) with API providers; it's intended to exist shared, as it does non contain your private key.

A certificate fingerprint is a curt and unique representation of a certificate that is often requested by API providers alongside the package name to register an app to use their service. The MD5, SHA-1 and SHA-256 fingerprints of the upload and app signing certificates tin be institute on the app signing page of the Play Console. Other fingerprints can likewise be computed by downloading the original certificate (.der) from the same page.

Sign your debug build

When running or debugging your project from the IDE, Android Studio automatically signs your app with a debug document generated by the Android SDK tools. The commencement time you run or debug your project in Android Studio, the IDE automatically creates the debug keystore and certificate in $HOME/.android/debug.keystore, and sets the keystore and primal passwords.

Because the debug document is created by the build tools and is insecure past design, about app stores (including the Google Play Store) practise not accept apps signed with a debug certificate for publishing.

Android Studio automatically stores your debug signing information in a signing configuration so you do not have to enter it every time you lot debug. A signing configuration is an object consisting of all of the necessary information to sign your app, including the keystore location, keystore password, fundamental proper noun, and key password.

For more data about how to build and run apps for debugging, encounter Build and Run Your App.

Decease of the debug document

The self-signed certificate used to sign your app for debugging has an expiration date of xxx years from its creation date. When the certificate expires, y'all go a build error.

To prepare this problem, simply delete the debug.keystore file stored in one of the post-obit locations:

  • ~/.android/ on Bone X and Linux
  • C:\Documents and Settings\user\.android\ on Windows XP
  • C:\Users\user\.android\ on Windows Vista and Windows 7, 8, and 10

The next fourth dimension you build and run a debug version of your app, Android Studio regenerates a new keystore and debug fundamental.

Sign your app for release to Google Play

When yous are prepare to publish your app, you need to sign your app and upload it to an app store, such every bit Google Play. When publishing your app to Google Play for the first time, you must also configure Play App Signing. Play App Signing is optional for apps created before Baronial 2021. This section shows you how to properly sign your app for release and configure Play App Signing.

Generate an upload key and keystore

If you don't already have an upload fundamental, which is useful when configuring Play App Signing, you tin can generate i using Android Studio every bit follows:

  1. In the bill of fare bar, click Build > Generate Signed Parcel/APK.
  2. In the Generate Signed Bundle or APK dialog, select Android App Packet or APK and click Next.
  3. Below the field for Key shop path, click Create new.
  4. On the New Key Store window, provide the following data for your keystore and key, as shown in figure 2.

    Figure 2. Create a new upload key and keystore in Android Studio.

  5. Keystore

    • Key store path: Select the location where your keystore should be created. As well, a file name should be added to the end of the location path with the .jks extension.
    • Password: Create and ostend a secure password for your keystore.
  6. Fundamental

    • Alias: Enter an identifying proper name for your cardinal.
    • Password: Create and ostend a secure password for your cardinal. This should be the aforementioned as your keystore countersign. (Delight refer to the known upshot for more information)
    • Validity (years): Fix the length of fourth dimension in years that your key will be valid. Your central should exist valid for at least 25 years, so you tin can sign app updates with the aforementioned key through the lifespan of your app.
    • Certificate: Enter some information about yourself for your certificate. This information is not displayed in your app, only is included in your certificate every bit part of the APK.
  7. One time you consummate the grade, click OK.

  8. If you would like to build and sign your app with your upload central, continue to the section about how to Sign your app with your upload key. If y'all only want to generate the central and keystore, click Cancel.

Sign your app with your primal

If you lot already have an upload fundamental, use information technology to sign your app. If instead your app is already signed and published to the Google Play store with an existing app signing fundamental, use it to sign your app and make certain to encrypt and export it to opt your app in to Play App Signing. Y'all can later generate a divide upload key and register your upload central'south public document with Google Play to sign and upload subsequent updates to your app.

To sign your app using Android Studio, and export an existing app signing fundamental, follow these steps:

  1. If yous don't currently have the Generate Signed Bundle or APK dialog open, click Build > Generate Signed Bundle/APK.
  2. In the Generate Signed Packet or APK dialog, select either Android App Bundle or APK and click Adjacent.
  3. Select a module from the drop downwardly.
  4. Specify the path to your keystore, the alias for your key, and enter the passwords for both. If you oasis't yet prepared your upload keystore and cardinal, kickoff Generate an upload key and keystore and then render to complete this pace.

    Figure 3. Sign your app with your upload key.

  5. If you're signing an app parcel with an existing app signing key, and you'd like to subsequently opt your app in to Play App Signing, check the box next to Export encrypted key and specify a path to relieve your signing key as an encrypted *.pepk file. Y'all tin and so use your encrypted app signing key to opt in an existing app into Play App Signing.

  6. Click Next.

  7. In the side by side window (shown in figure 4), select a destination binder for your signed app, select the build type, choose the production flavor(s) if applicative.

  8. If yous are building and signing an APK, you need to select which Signature Versions you desire your app to support. To learn more, read about app signing schemes

  9. Click Finish.

    Figure four. Generate a signed version of your app for the selected product flavors.

Figure 5. Click the link in the popup to analyze or locate your app bundle, or locate your exported signing key.

After Android Studio finishes edifice your signed app, yous can either locate or analyze your app by clicking on the appropriate option in the popular-up notification. If you selected the choice to export your signing key, you tin speedily navigate to information technology by clicking the dropdown pointer in the lesser right corner of the popup to expand it and clicking Show Exported Fundamental File, as shown in figure 5.

Now yous're set up to opt your app in to Play App Signing and upload your app for release. If you're new to the app publishing process, you may want to read the Launch overview. Otherwise, proceed to the page about how to Upload your app to the Play Console.

Using Play App Signing

As described before in this page, configuring Play App Signing is required to sign your app for distribution through Google Play (except for apps created before August 2021, which may continue distributing self-signed APKs). The steps you need to take depend on whether your app has not yet been published to Google Play, or your app is already signed and was published before August 2021 using an existing app signing key.

Configure a new app

To configure signing for an app that has not nonetheless been published to Google Play, proceed equally follows:

  1. If you oasis't already done and so, generate an upload key and sign your app with that upload key.
  2. Sign in to your Play Panel.
  3. Follow the steps to set & curlicue out your release to create a new release.
  4. Afterwards yous choose a release track, configure app signing under the App Integrity department equally follows:
    • To have Google Play generate an app signing key for you and employ it to sign your app, yous don't have to practice anything. The key you use to sign your first release becomes your upload fundamental, and you should use it to sign future releases.
    • To use the same key as some other app on your developer business relationship, select Change app signing key > Use my own primal > Use the same key every bit another app in this business relationship, select an app, and and so click Go along.
    • To provide your own signing key for Google to utilize when signing your app, select Change app signing central > Utilise my ain key and select one of the options that lets you securely upload a private cardinal and its public certificate.

In the section called App Bundles, click Browse files to locate and upload the app you signed using your upload primal. For more information well-nigh releasing your app, refer to prepare & roll out your release. When you release your app later configuring Play App Signing, Google Play generates (unless yous upload an existing key) and manages your app'southward signing key for you. Simply sign subsequent updates to your app using your app's upload key before uploading it to Google Play.

If you need to create a new upload central for yous app, go to the section most how to Reset a lost or compromised private upload key.

Opt in an existing app

If you're updating an app that's already published to Google Play using an existing app signing key, you lot can opt in to Play App Signing as follows:

  1. If you haven't already done so, sign your app using Android Studio with your existing app signing central and brand sure to cheque the box next to Export encrypted key to save your signing central as an encrypted *.pepk file. You lot'll need this file in a after step. This tin also be done using the PEPK tool, which you tin download from the Play Panel.
  2. Sign in to your Play Console and navigate to your app.
  3. On the left menu, click Release > Setup > App integrity.
  4. If applicable, review the Terms of Service and select Take.
  5. Select 1 of the options that best describes the signing key you desire to upload to Google Play and follow the instructions that are shown. For example, if y'all used Android Studio to export your app'south signing key, every bit described on this folio, select Upload a key exported from Android Studio and upload the *.pepk file for your key.
  6. Click Enroll.

You should now see a page with the details of your app'south signing and upload certificates. Google Play now signs your app with your existing key when deploying information technology to users. Nonetheless, one of the almost important benefits to Play App Signing is the ability to separate the key you use to sign the artifact you upload to Google Play from the key that Google Play uses to sign your app for distribution to users. So, consider following the steps in the side by side section to generate and annals a separate upload key.

Generate and register an upload certificate

When yous're publishing an app that is non signed past an upload primal, the Google Play Console provides the selection to annals one for future updates to the app. Although this is an optional step, it's recommended that you publish your app with a key that's separate from the one Google Play uses to distribute your app to users. That way, Google keeps your signing cardinal secure, and you have the option to reset a lost or compromised individual upload key. This section describes how to create an upload primal, generate an upload certificate from it, and annals that certificate with Google Play for future updates of your app.

The following describes the situations in which you encounter the option to annals an upload certificate in the Play Console:

  • When you lot publish a new app that's signed with a signing key and opt information technology in to Play App Signing.
  • When you are about to publish an existing app that'southward already opted in to Play App Signing, but information technology is signed using its signing key.

If you are not publishing an update to an existing app that'southward already opted in to Play App Signing, and you'd similar to register an upload certificate, consummate the steps beneath and continue on to the section most how to reset a lost or compromised individual upload cardinal.

If you haven't already washed then, generate an upload central and keystore.

After you create your upload key and keystore, y'all demand to generate a public certificate from your upload key using keytool, with the post-obit control:

$ keytool -consign -rfc   -keystore          your-upload-keystore.jks          -alias          upload-alias          -file          output_upload_certificate.pem        

Now that you have your upload document, register it with Google when prompted in the Play Console or read the section below to register it though the Google Play support squad.

Upgrade your app signing key

In some circumstances, you might desire to change your app's signing central. For example, because yous want a cryptographically stronger key or your signing central has been compromised. However, because users can simply update your app if the update is signed with the same signing key, it's difficult to change the signing key for an app that's already published.

If you publish your app to Google Play, you lot tin can upgrade the signing fundamental for your published app through the Play Console—your new primal is used to sign new installs and app updates, while your older app signing key is used to sign updates for users who installed your app before the key upgrade.

To learn more, read Upgrade your app signing key for new installs.

Reset a lost or compromised individual upload primal

If you lost your individual upload key or your private key has been compromised, you can create a new 1 and contact the Google Play support team to reset the fundamental.

Configure the build process to automatically sign your app

In Android Studio, you can configure your project to sign the release version of your app automatically during the build process by creating a signing configuration and assigning it to your release build type. A signing configuration consists of a keystore location, keystore countersign, key allonym, and key password. To create a signing configuration and assign it to your release build type using Android Studio, consummate the following steps:

  1. In the Projection window, right click on your app and click Open Module Settings.
  2. On the Project Structure window, under Modules in the left panel, click the module yous would like to sign.
  3. Click the Signing tab, so click Add .
  4. Select your keystore file, enter a proper noun for this signing configuration (as y'all may create more than i), and enter the required information.

    Figure 7. The window for creating a new signing configuration.

  5. Click the Build Types tab.
  6. Click the release build.
  7. Under Signing Config, select the signing configuration you but created.

    Figure 8. Select a signing configuration in Android Studio.

  8. Click OK.

Now every time you build your release build blazon by selecting an option under Build > Build Packet(southward) / APK(due south) in Android Studio, the IDE volition sign your app automatically, using the signing configuration y'all specified. Y'all can discover your signed APK or app packet in the build/outputs/ directory inside the project directory for the module yous are edifice.

When you create a signing configuration, your signing data is included in plain text in your Gradle build files. If you are working in a team or sharing your lawmaking publicly, you should keep your signing information secure by removing it from the build files and storing it separately. Y'all can read more about how to remove your signing information from your build files in Remove Signing Information from Your Build Files. For more than about keeping your signing information secure, read Secure your key.

Sign each production flavor differently

If your app uses production flavors and you would similar to sign each flavor differently, y'all tin can create boosted signing configurations and assign them by flavour:

  1. In the Project window, right click on your app and click Open Module Settings.
  2. On the Project Construction window, under Modules in the left panel, click the module yous would similar to sign.
  3. Click the Signing tab, and then click Add together .
  4. Select your keystore file, enter a name for this signing configuration (as you may create more than than one), and enter the required information.

    Figure x. The window for creating a new signing configuration.

  5. Repeat steps 3 and 4 equally necessary until yous have created all your signing configurations.
  6. Click the Flavors tab.
  7. Click the flavour yous would like to configure, then select the appropriate signing configuration from the Signing Config dropdown menu.

    Figure eleven. Configure signing settings past product season.

    Repeat to configure whatever additional product flavors.

  8. Click OK.

Y'all can also specify your signing settings in Gradle configuration files. For more information, run into Configuring Signing Settings.

Manage your ain signing key

If you lot choose not to opt in to Play App Signing (only for apps created before August 2021), y'all can manage your own app signing cardinal and keystore. Keep in mind, you are responsible for securing the key and the keystore. Additionally, your app will not exist able to back up Android App Bundles, Play Characteristic Delivery and Play Asset Delivery.

When y'all are fix to create your own cardinal and keystore, brand certain yous start choose a strong password for your keystore and a split up strong password for each private key stored in the keystore. Yous must keep your keystore in a safety and secure place. If you lose admission to your app signing fundamental or your key is compromised, Google cannot retrieve the app signing cardinal for you, and y'all volition non be able to release new versions of your app to users equally updates to the original app. For more information, run across Secure your key, beneath.

If you manage your own app signing key and keystore, when y'all sign your APK, you will sign it locally using your app signing cardinal and upload the signed APK directly to the Google Play Store for distribution every bit shown in figure x.

Figure 12. Signing an app when you manage your own app signing key

When you use Play App Signing, Google keeps your signing fundamental condom, and ensures your apps are correctly signed and able to receive updates throughout their lifespans. Nonetheless, if you lot decide to manage your app signing key yourself, there are a few considerations you should keep in mind.

Signing considerations

You lot should sign your app with the same certificate throughout its expected lifespan. There are several reasons why you should exercise so:

  • App upgrade: When the organisation is installing an update to an app, it compares the certificate(s) in the new version with those in the existing version. The arrangement allows the update if the certificates friction match. If y'all sign the new version with a different certificate, you must assign a different bundle proper noun to the app—in this case, the user installs the new version as a completely new app.
  • App modularity: Android allows APKs signed by the same document to run in the aforementioned process, if the apps so request, and so that the arrangement treats them every bit a single app. In this way you can deploy your app in modules, and users can update each of the modules independently.
  • Code/data sharing through permissions: Android provides signature-based permissions enforcement, so that an app tin can expose functionality to another app that is signed with a specified document. By signing multiple APKs with the same certificate and using signature-based permissions checks, your apps tin share code and data in a secure manner.

If you plan to support upgrades for an app, ensure that your app signing key has a validity period that exceeds the expected lifespan of that app. A validity period of 25 years or more is recommended. When your key'south validity period expires, users will no longer be able to seamlessly upgrade to new versions of your app.

If you plan to publish your apps on Google Play, the key you use to sign your app must have a validity period catastrophe subsequently 22 October 2033. Google Play enforces this requirement to ensure that users tin can seamlessly upgrade apps when new versions are available.

Keep your key secure

If y'all choose to manage and secure your app signing fundamental and keystore yourself (instead of opting in to Play App Signing), securing your app signing key is of critical importance, both to you and to the user. If you lot permit someone to use your central, or if you leave your keystore and passwords in an unsecured location such that a third-party could find and use them, your authoring identity and the trust of the user are compromised.

If a 3rd party should manage to have your app signing key without your cognition or permission, that person could sign and distribute apps that maliciously replace your accurate apps or decadent them. Such a person could as well sign and distribute apps under your identity that attack other apps or the system itself, or corrupt or steal user data.

Your private key is required for signing all hereafter versions of your app. If you lose or misplace your cardinal, you will not be able to publish updates to your existing app. You cannot regenerate a previously generated key.

Your reputation as a programmer entity depends on your securing your app signing central properly, at all times, until the key is expired. Here are some tips for keeping your cardinal secure:

  • Select strong passwords for the keystore and key.
  • Do not give or lend anyone your private key, and do not let unauthorized persons know your keystore and primal passwords.
  • Go on the keystore file containing your private fundamental in a safety, secure place.

In general, if you follow common-sense precautions when generating, using, and storing your key, information technology volition remain secure.

Remove signing information from your build files

When you create a signing configuration, Android Studio adds your signing information in plain text to the module's build.gradle files. If you are working with a team or open up-sourcing your code, yous should move this sensitive data out of the build files and so it is not hands accessible to others. To do this, you should create a separate properties file to store secure data and refer to that file in your build files equally follows:

  1. Create a signing configuration, and assign information technology to one or more build types. These instructions assume you have configured a single signing configuration for your release build type, as described in Configure the build process to automatically sign your app, above.
  2. Create a file named keystore.properties in the root directory of your project. This file should contain your signing information, equally follows:
    storePassword=myStorePassword keyPassword=mykeyPassword keyAlias=myKeyAlias storeFile=myStoreFileLocation            
  3. In your module's build.gradle file, add code to load your keystore.properties file before the android {} block.

    Groovy

    ...  // Create a variable chosen keystorePropertiesFile, and initialize it to your // keystore.properties file, in the rootProject folder. def keystorePropertiesFile = rootProject.file("keystore.properties")  // Initialize a new Backdrop() object chosen keystoreProperties. def keystoreProperties = new Properties()  // Load your keystore.properties file into the keystoreProperties object. keystoreProperties.load(new FileInputStream(keystorePropertiesFile))  android {     ... }                

    Kotlin

    ... import java.util.Properties import java.io.FileInputStream  // Create a variable called keystorePropertiesFile, and initialize it to your // keystore.backdrop file, in the rootProject binder. val keystorePropertiesFile = rootProject.file("keystore.properties")  // Initialize a new Properties() object chosen keystoreProperties. val keystoreProperties = Properties()  // Load your keystore.properties file into the keystoreProperties object. keystoreProperties.load(FileInputStream(keystorePropertiesFile))  android {     ... }                

    Annotation: You lot could cull to store your keystore.properties file in another location (for instance, in the module folder rather than the root folder for the project, or on your build server if you lot are using a continuous integration tool). In that instance, yous should modify the code to a higher place to correctly initialize keystorePropertiesFile using your actual keystore.backdrop file's location.

  4. Yous tin refer to properties stored in keystoreProperties using the syntax keystoreProperties['propertyName']. Alter the signingConfigs block of your module'due south build.gradle file to reference the signing data stored in keystoreProperties using this syntax.

    Bang-up

    android {     signingConfigs {         config {             keyAlias keystoreProperties['keyAlias']             keyPassword keystoreProperties['keyPassword']             storeFile file(keystoreProperties['storeFile'])             storePassword keystoreProperties['storePassword']         }     }     ...   }

    Kotlin

    android {     signingConfigs {         getByName("config") {             keyAlias = keystoreProperties["keyAlias"]             keyPassword = keystoreProperties["keyPassword"]             storeFile = file(keystoreProperties["storeFile"])             storePassword = keystoreProperties["storePassword"]         }     }     ...   }
  5. Open up the Build Variants tool window and ensure that the release build type is selected.
  6. Select an option under Build > Build Package(southward) / APK(southward) to build either an APK or app packet of your release build. Yous should see the build output in the build/outputs/ directory for your module.

Because your build files no longer contain sensitive information, you tin now include them in source control or upload them to a shared codebase. Be sure to go on the keystore.properties file secure. This may include removing it from your source command organization.

agnesrompubse.blogspot.com

Source: https://developer.android.com/studio/publish/app-signing