App signing is a critical process in Android app development, designed to ensure the security and authenticity of the apps that users download and install on their devices. Android requires that all APKs (Android Package files) be digitally signed with a certificate before they are installed on a device or updated.

What does App Signing do?

1. App Authenticity: When an app is signed, it carries a digital signature that uniquely identifies its source, the publisher of the app.

   • Imagine you're downloading a popular app like WhatsApp. You know it's available on the Play Store, but you've heard about modified versions from other sources (like GBWhatsapp). Both the official Play Store WhatsApp and these mods may have the same package name (com.whatsapp). However, the key point is that you can't install a modded WhatsApp as an "update" over the official one already on your device because both we signed by different publishers.

   • To release updates on the Google Play Store, developers must sign the new version with the same key used for the original app. This way, users can confidently update their apps, knowing they are getting a genuine update.

2. Integrity Assurance: App signing ensures the integrity of the app. If any part of the app is modified after signing, the signature becomes invalid. This prevents unauthorized or malicious alterations to the app's code and resources, safeguarding both the user's experience and the app's security.

Basic Terminologies Before Getting Started

1. Keystore: Java Keystores (.jks or .keystore) are binary files that serve as repositories of certificates and private keys.

2. App Signing Key (or Deployment Key): This private key is used to sign APKs that are installed on a user's device. This signing key never changes during the lifetime of your app. The app signing key is private and must be kept secret.

   • The Keystore file (.jks) is automatically generated by Play Console when you first try to upload an app bundle there. (You can find it at Setup > App integrity > App signing).

   • This keystore stays with Google. You do not have access to the .jks file. So, it's safe and won't get lost.

3. Upload key: This private key is used to sign the app bundle (.aab) or APK (.apk) before you upload it for app signing with Google Play. Upload key secret must be kept secret.

   • Generate the Upload Keystore that contains this key:

     1. On Linux or macOS,

         keytool -genkey -v -keystore ~/upload-keystore.jks -keyalg RSA \
                   -keysize 2048 -validity 10000 -alias upload
        

     2. On Windows, use the following command in PowerShell:

         keytool -genkey -v -keystore %userprofile%\upload-keystore.jks ^
                   -storetype JKS -keyalg RSA -keysize 2048 -validity 10000 ^
                   -alias upload
        

   • The app is signed in "Release Mode". Play Store will accept the AAB app bundle to publish it.

4. Debug key: This is used during app development. It's used for debugging and testing purposes.

   • To create a Debug Keystore to contain this key, run ./gradlew signingReport (The debug keystore is available by default in your Android project)

   • Using this, the app will be signed in "Debug Mode". Play Store will NOT accept the AAB app bundle. You cannot publish apps signed with this key.

   • Apps signed with a debug keystore are only suitable for creating app development builds and should not be used for public distribution.

So, there are 3 kinds of apps now:

• Development build APK which is signed using the Debug key

• Your Release build AAB app bundle which is signed using your Upload key. Do NOT lose this key!

• Your Release build APK is signed by Google Play using the Deployment key. Google Play Console manages this key. They keep it safe and secure so that only your Google Play account gets to publish updates for your app. No other person can release an update for your app.

  

Which Keys Do I Need?

If your goal is to publish your app on the Google Play Store, there's no need to generate or use the Debug keystore. Instead, you should generate your Upload keystore and consistently use it to build your app.

In summary:

• Use the Debug keystore if you do not intend to publish your app on the Google Play Store. In this case, you don't need to be concerned about any other key.

• Opt for an Upload keystore if your plan involves publishing your app on the Google Play Store. You can safely discard the Debug keystore.

  • Here, the Deployment Keystore is not something you need to manage yourself. Publishing apps using it is entirely handled by the Google Play Store.

That was it! If you came here to understand the differences between the keystore files you do not need to read any further 👍

If you want to dive deeper, let's understand Signing Certificates

Understanding Signing Certificates and its use case

A Signing Certificate is also known as a digital certificate or an identity certificate. It contains some other metadata and a public key which helps to identify the publisher who holds the corresponding private key.

You can generate a Certificate from the keystore. Even if the Keystore is meant to be kept secret, you can share the certificate generated from that secret Keystore

What is the use case of this certificate?

Let's understand using an example. Certain Google services (such as Google Sign-in and App Invites from Firebase) require you to provide the SHA-1 fingerprint of your signing certificate.

So, if you are signing your app with upload keystore, add the SHA-1 fingerprint of your upload keystore in Firebase Console > Settings Icon > Project settings > Add fingerprint.

• You can get the SHA-1 fingerprint of Upload keystore using:

    keytool -v -list -keystore /path/to/upload-keystore.jks
  

• Also, you can get the SHA-1 fingerprint of Upload keystore and Deployment keystore on Play Console at Setup > App integrity > App signing

Then the question arises, which SHA-1 should I add to the Firebase Console? There are two SHA-1 at Play Console. You have to add both SHA-1 fingerprints to Firebase. Why? - To publish your app, you will need to request an App review from the Play Store, you always have to submit your app signed with your Upload keystore. That's why, to make that Upload keystore signed App work properly with those Firebase features, you need to add SHA-1 of Upload keystore in Firebase.

After your App review request is Accepted, your app will be signed again using the Deployment keystore by Play Console (automatic), then it will be published on Play Store. So, in order to make that Deployment keystore signed App work properly for end users, you need to add the SHA-1 fingerprint of the Deployment keystore in Firebase.

The Android ecosystem is vast and ever-evolving, and while we've covered key aspects of App Signing and key stores, there's always more to learn and discover. I recognize that no article is perfect, but I hope that this has been a helpful guide in your app development endeavors. Let's continue to learn and grow together. Your input is both welcome and appreciated!

Connect with me

I'm Ashutosh, passionate about crafting cool projects with React and React Native. Explore more of my writings on ashuvssut.hashnode.dev.

Follow me or reach out:

• Email | GitHub | Twitter | LinkedIn | Discord | StackOverflow