Create an application signature using Google Play App Signing

By | 13.08.2017

Because the signature key is used to verify that you are the developer of the application, and to provide secure updates for your users, securing the key is very important to both you and the users. There are various ways to sign your applications.

Recently, Google added a new feature to store keys: in its own infrastructure through Google Play App Signing. The main difference here is that you sign the application with a special upload key, which Google checks and deletes, replacing it with the original app signature key that you provided.

With it, you can manage app signing keys for both new and published applications, which in turn will be stored by Google in their own keystore. To join this program, you must subscribe to it in your Google Play Console.

This method is very useful, because if you lose the keystore, Google Play App Signing will reset the key to install a new one. Agree, this is much easier than every time to publish the application again with a new package name and key.

Let’s try using this method to publish new application : System app manager.

First, you need to create a upload key, which Google will use to check the APK. To do this, we create a new keystore with the help of the Android Studio menu via the Build – Generate Signed APK, which will contain our upload key. The signature of the application will be created using Gradle, and the file containing the path to the keystore and passwords will be derived from the project and stored separately.

signingConfigs {
    release {
        if (project.hasProperty("Keys.repo")) {
            def projectPropsFile = file(project.property("Keys.repo") + "/system-app-manager.properties")
            if (projectPropsFile.exists()) {
                Properties props = new Properties()
                props.load(new FileInputStream(projectPropsFile))

                storeFile file(file(project.property("Keys.repo") + props['RELEASE_STORE_FILE']))
                storePassword props['RELEASE_STORE_PASS']
                keyAlias props['RELEASE_ALIAS']
                keyPassword props['RELEASE_KEY_PASS']
            }
        } else {
            println "======================================================="
            println "[ERROR] - Please configure release-compilation environment - e.g. in ~/.signing  directory"
            println "======================================================="
        }
    }
}

Then, with the generated key, you must sign APK to create the release version, and upload it to the pre-created project in the developer console. During the download, you will be asked to sign up for the Google Play App Signing program, if you have not already done so.

After filling in all the necessary fields in the console and publishing the application on Google Play, the application will already use a different signing key that will be stored by Google and sent to users when the application is downloaded from the market.

To find out that the application is signed by Google, and not by the developer, you can use the following metadata element contained in the <application> tag in the manifest file:

<meta-data android:name="com.android.vending.derived.apk.id" android:value="[ID]" />

How do I reset the download key?

In case you lost your boot key or it was kidnapped by someone, you can reset it in the developer console. To do this, you need:

  1. Create a new upload key in the same way that it was done at the beginning of the article. Then it will need to be exported to the PEM certificate with the following command.
    keytool -export -rfc -alias upload -file <upload_certificate.pem> -keystore <keystore.jks>
  2. After creating the certificate, you need to contact the support team for the next link by filling in all the fields and attaching the certificate file. Once the request has been processed, instructions for changing the key will be sent to your e-mail.

Let’s download the published application and see what’s inside it. To do this, we will use any decompiler of APK files.

If you open the application manifest, then inside you can find the same line with the metadata, about which we spoke above.

This identifier will be used in error reporting tools and it is possible to determine the desired APK file by it.

Unfortunately, there is no optimization for APK, as claimed by the developers. Google Play should provide an optimized APK with the appropriate locale and density of the screen. However, if you look at what is in the resources of the decompiled APK, then you can find there all the localizations that were created for the application, and layout of the screens with density.

In addition to the decompiler, this can also be checked by the aapt.exe utility (Android Asset Packaging Tool), which is included with the Android SDK. To do this, enter the following command:

aapt dump badging apk_name.apk

The new technology from Google has made life easier for developers, we will reap when it really makes the output APK file smaller.

Leave a Reply

Your email address will not be published. Required fields are marked *