Pages

Friday, August 8, 2014

Android APK signing/distributing rules

Summarizing the general rules around the APK signing.

  • Customer usually has the signing keystore for deployment on Google Play.
  • The unsigned APK will NOT install on any device and hence cannot be used for testing.
  • Application can be signed in 3 different flavors depending on the need:
`assembleDevelopmentDebug` (debug Signed APK - Development flavor)
`assembleProductionDebug` (debug Signed APK - Development flavor)
`assembleProductionRelease` (release unsigned APK - For play store after customer signs).
  • Flavors are based on the assumption that the app has defined them with the following blocks in build.gradle.
signingConfigs {
    debug {
        storeFile file('../certificate/debug.keystore')
    }
}

buildTypes {
    debug {
        applicationIdSuffix ".debug"
        debuggable true
        signingConfig android.signingConfigs.debug
    }
    release {}
}

productFlavors {
    development {}
    production {}
}

  • Every APK that is submitted on the Play store needs to be digitally signed by a certificate (keystore). There are usually two types of keystores.

  • debug.keystore debug.keystore is used to sign the application while distributing in debug mode. You will find this keystore in ~/.android/ folder on OSX and Linux. This is a standard debug keystore created by SDK tools with following predetermined credentials.

Keystore name: "debug.keystore",
Keystore password: "android", 
Key alias: "androiddebugkey", 
Key password: "android"
  • release.keystore Before the application is submitted to play store, it must be signed using release.keystore. Once signed and uploaded, all the next releases MUST be signed by the same keystore. This is an essential requirement and not even God Google can restore your access if you loose it. The credentials for this keystore are (ideally) only available with the client. This keystore can generated by using keytool. keytool is a Java utility which manages a keystore (database) of cryptographic keys.
$ keytool -genkey -v -keystore my-release-key.keystore
  -alias alias_name -keyalg RSA -keysize 2048 -validity 10000

  • The keystore has 3 private keys associated with it, keystore password, key alias, and key password. When the above command is executed, it asks for the new credentials and generates my-release-key.keystore.

  • For uploading the APK on play store, the following images should help.

    enter image description here
    enter image description here

view raw APK_Rules.md hosted with ❤ by GitHub
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)