Android Question How to sign my app ?

[mr.gedo]

Hello all,

when i try to upload app to google play google need to sign my app - Let Google manage and protect your app signing key (recommended)

if i choose (Opt out of app signing by Google Play)

You'll lose certain benefits if you opt out:

• You won't be able to use Android App Bundles to publish your app. App bundles reduce app size, and automatically optimize your app for each device. Learn more
• Your app signing key won't be protected by Google. If you lose your key, you won't be able to update your app, and you'll need to publish a new app with a new package name.

it's recommended to sign by google or not ?
should every app have a private key or one key for all apps?

Best Regards

 

[Erel]

Point #1 is not relevant. App bundle will not change your app size.

Point #2 depends on your ability to protect the key. If you can backup it properly then I recommend you to sign the APK yourself.

 

[kisoft]

should every app have a private key or one key for all apps?

Each application can have its own key. Or, you can have one key for all your apps. Just remember that it's easy to lose the key and then you won't do anything with the app in the store.

 

[mr.gedo]

Thank you for your reply

I have two questions please

1- Generally, what's the negatives points if I used Google signature ?

2- if I used Google signature can I use my own key to other app or not and also if I used my own key firstly can I used Google signature after that with another app ?

Best Regards

 

[kisoft]

You decide which key to choose each time. Only if the app is published in the store, you won't change the key anymore.

 

[mr.gedo]

actually i'm afraid to losing my private key so i thinking to sign my app by Google but i'm still confused about this conditions
is this condition number (2) below mean that Google will modify my app and re-publish again ?

Effective as of May 8, 2018
By enrolling Your account in app signing by Google Play service (the, "Service"), You consent to be bound by these terms, in addition to the existing Google Play Developer Distribution Agreement ("DDA") and Google Play Developer Program Policies (collectively, the "Agreement"). If there is a conflict between these terms and the Agreement, these terms govern Your use of the Service. Capitalized terms used below, but not defined below, have the meanings ascribed to them under the Agreement.

1. Android App Bundle, Key Generation and Key Storage
1.1. Android App Bundle is a new app publishing artifact. Publishing an Android App Bundle requires enrollment in the Service, which enables the Android App Bundle functionality and provides a secure means of handling Your app signing key(s).

1.2. By selecting any of your existing apps for inclusion in the Service, You agree to give Your existing app signing key(s) to Google. For future apps that you select for inclusion in the Service, Google will generate and store a new app signing key for you.

1.3. You will have the ability to download and review Your APKs that are distributed through Play.

2. Additional License Grants
2.1. By enrolling Your app in the Service, in addition to the license granted in 5.1 of the DDA, for the life of the app, You grant Google a license to (1) use the Android App Bundle that you provide to generate APKs and (2) modify Your app APKs to optimize their performance, security and/or size.

2.2. For the avoidance of doubt, services provided herein will not change the purpose of Your app.

3. Permanent Enrollment
3.1. It will not be possible to retrieve Your app signing key once it is provided to or generated by Google. Google may retain indefinitely a backup copy of the key(s) for disaster recovery purposes.

3.2. You can unpublish Your app and publish a new app with a new package name, without opting into the Service, at any time.

4. Changes to the Agreement
4.1. Google may make changes to these terms at any time by sending You reasonable notice describing the modifications made. Google also will post a notification on the Google Play Console describing the modifications made. They will become effective, and will be deemed accepted by You, (a) immediately for those who opt-in to the Service after the notification is provided, or (b) for pre-existing users, on the date specified in the notice. If You do not agree with the modifications to these terms, You must withdraw from the Service, subject to Section 3, which will be Your sole and exclusive remedy. You agree that Your failure to withdraw constitutes Your agreement to the modified terms.

 

[Erel]

below mean that Google will modify my app and re-publish again ?

No. It means that Google can create APK derived from the app bundle with fewer resources based on the target device.

 

[mr.gedo]

i enabled sign by google and I followed these instructions here https://www.b4x.com/android/forum/threads/google-play-app-signing.91703/

and i don't find pepk.jar but i can download only these two files upload_cert.der And deployment_cert.der

what should i do ?

 

[mr.gedo]

update : i found the pepk.jar tool

is keystore file must created first from b4a tools > Private Sign Key - is thats right ?

 

[Erel]

Both options are possible, assuming that you haven't yet uploaded the app to Google Play.

If you download a new signing key then you will need to set the #SignKeyAlias attribute.

 

[mr.gedo]

here is my steps

1- I created a folder and reneme it to "tool" and copied the pepk.jar and keytool file to it
2- I created my keystore file form b4a tools > Private Sign Key --- then saved it to my Tools folder >> (my_key.keystore)
3- I used this comand i replace key to my new one from google

java -jar pepk.jar --keystore=my_key.keystore --alias=b4a --output=encrypted_private_key_path --encryptionkey=aaaaaaaaaaaaaaaaaaaa1e6c09ffe3056a104a3bbe4ac5a955f4ba4fe93fc8cef27558a3eb9d2a529a20bbbbbbbbbbbbbbbbbbb

this generete the file (encrypted_private_key_path) as you see below

4- I used this command to create the upload key :

keytool -genkey -v -keystore my-release-key.jks -keyalg RSA -keysize 2048 -validity 10000 -alias b4a

i don't know why this warning ?

5- I used this command to extract the certificate from the key :

keytool -export -rfc -keystore my-release-key.jks -alias b4a -file upload_certificate.pem

i have another warnign !!!?

now i have these files

5- i used this commands to sign my app before i upload it to google
1-

"c:\Program Files (x86)\Anywhere Software\Basic4android\B4ABuilder.exe" -task=Build -NoSign=True

2. zip align the temp file:

C:\Android\build-tools\27.0.1\zipalign.exe -v -p 4 Objects\bin\temp.ap_ aligned.apk

3. sign the aligned apk (change the path to the upload key):

C:\Android\build-tools\27.0.1\apksigner.bat sign --ks "C:\tool\my-release-key.jks" --out signed.apk aligned.apk

Now i have signed.apk in myapp folder but before uploading in google i try to upload the upload_certificate.pem to google but the file must be zip file, i don't have a zip file, what's wrong in my steps ?

which file must be upload ? i only have these files below

 

[mr.gedo]

update :

i remove my app draft and create new one becuse i'm opted in google app sign before i export my key so >> this is my wrong

and i regenerated keystore file by this command

keytool -genkey -v -keystore my_key.keystore -keyalg RSA -keysize 2048 -validity 10000 -alias b4a

and aftar that i used this command to generate zip file with my key from google

java -jar pepk.jar --keystore=my_key.keystore --alias=b4a --output=output.zip --include-cert --encryptionkey=aaaaaaaaaaaaaaaaaaaa1e6c09ffe3056a104a3bbe4ac5a955f4ba4fe93fc8cef27558a3eb9d2a529a20bbbbbbbbbbbbbbbbbbb

this command generated zip file with 2 files inside it
1- certificate.pem
2- encryptedPrivateKey


now i choose Export and upload a key and certificate from a Java keystore
and i'm choosed the zip file to upload it and also i'm upload the upload_certificate.pem in (Create a new upload key for increased security) as you see below

it's enabled without any problem but :

i'm still very confused
I have a big headache

is all my steps correct ?
is my key now protected by Google? and should now I upload the signed apk ?

 

[Erel]

Not sure why you choose to make things more difficult then they should be. Just backup your key.

All the steps needed to sign an app with Google upload key are listed here: https://www.b4x.com/android/forum/threads/google-play-app-signing.91703/

 

[mr.gedo]

Because you told me that Google will improve my app on each device,

No. It means that Google can create APK derived from the app bundle with fewer resources based on the target device.

So I thought this would be better

But if I misunderstood your reply please let me know because it really will be easy for me to make a private key with b4a and take a break from all these steps.

 

[Erel]

You misunderstood my reply. The only reason to use Google Play Signing is if you think that you might lose the signing key. If you are able to safely backup it then there is no reason to use this service.

 

[mr.gedo]

Now I understood you, I'll backup my key in a multiple locations
Thank you