Google Play How Do I Get My Upload Key

Answers to common questions almost Play App Signing

Android apps are cryptographically signed past the developer. This allows the package manager on the user's device to verify that every app update comes from the same source and that it hasn't been tampered with. Google Play besides enforces this signature check when you upload your APK to the Google Play Console, so that even if someone had your login credentials it would be incommunicable to ship a malicious update without also having access to your private key.

Historically, developers were responsible for generating their own individual keys and keeping them safe throughout the application'due south lifetime. While this offered a lot of flexibility, it was also prone to mistakes: generating weak keys, accidentally checking in your private key to a public repository or even losing information technology altogether are simply a few common ones that happen routinely even to seasoned developers.

Nowadays developers have a compelling alternative to managing keys themselves: Play App Signing, in which the upload key (the one you lot use to upload your artifacts to Google Play) and the app signing key (the 1 used to sign APKs distributed to devices) can be carve up, and the app signing key is stored securely on Google's infrastructure.

Fifty-fifty though many other pop platforms treat distribution keys this way, for many developers information technology's a departure from the previous Android signing model, and some developers may feel like they're giving upward as well much control over their apps.

That's why, I want to dispel some common misconceptions about Play App Signing, besides every bit give guidance on specific scenarios that you might encounter.

This advice is based on questions our Developer Relations squad has heard from developers at conferences, in online forums and our 1:i chats.

Let'southward outset with the about compelling reason to switch to Play App Signing:

i. I've lost the key used for signing release artifacts that I upload to Google Play. What are my options?

Without Play App Signing: Without the app signing fundamental,
there's zilch you or Google can do to continue updating your app due to security protections built into Android. Your but option is to
create a new store listing with a new bundle proper noun and start from scratch.

With Play App Signing: You can request a new upload key. Play will be able to proceed signing your app updates with the app signing cardinal, which is securely stored past Google.

If I were to proper noun one reason that speaks for the adoption of app signing, information technology would be the i to a higher place. But before we go further and talk most specific scenarios that app signing can assistance you remediate (there are more than!), let'due south pause to answer a meta-question first:

2. Why does Google want developers to switch to Play App Signing?

Google Play's commencement priority is to build a trusted, safe, and secure platform for billions of users and millions of developers for many years into the future.

The sustainability and success of the ecosystem depends on this. Almost developers cannot lucifer the level of security that Google can offer.

The new app model, where Play ingests publishing artifacts and generates signed artifacts is designed to minimize the surfaces where the signing keys could be exposed. It is not only secure, but also more than efficient, and future-looking with benefits for end-users and developers alike.

For example, a number of apps currently on the Play Store still haven't adopted the more secure v2 signing scheme. Once enrolled into Play App Signing, apps benefit from the new protections and future enhancements automatically, without developer piece of work required.

And finally, separating the publishing format (using Android App Bundles) from the serving format (split APKs) unlocks benefits for developers and users alike: from increased security, to optimization, reduced complexity and fragmentation. In club to exercise this, however, Play must have the power to sign the serving artifacts.

Some examples of features available correct now are automatic size optimizations for app commitment, as well as new customizable delivery options for modules in your app.

More importantly, it gives united states a way to evolve and improve the delivery mechanisms in the future, while ensuring the trust and rubber of the distributed artifacts.

Even though we continue to ameliorate our serving stack, we don't modify and distribute your application code without your cognition and approving, and the new optimizations Play performs are available for your inspection in the open source bundletool. Afterward in this FAQ I discuss some of the metadata (metadata which doesn't impact how your app works) differences you might see betwixt artifacts downloaded from Play and generated locally.

3. My app signing fundamental was generated many years ago and I'g afraid its cryptographic strength no longer meets today'southward standards or I believe that my app signing key has leaked. What can I do to upgrade?

Without Play App Signing: As previously mentioned, you cannot but switch to a new primal, as that would mean your existing users would not be able to get app updates. Yous either have to continue using your existing key and risk the rubber of your users' data or start a new app entry from scratch.

With Play App Signing:
If you are using a weak fundamental or your key was compromised, you can upgrade your app signing key for new installs.

This works by delivering APKs signed with your legacy key to existing users when they update the app, while fresh app installations get APKs signed with the upgraded, secure cardinal.

Consider enabling app signing now and switching to using a separate upload cardinal as shortly as possible, reducing the likelihood of e'er compromising the app signing key.

The electric current process of upgrading to a new key is non instantaneous and if the app signing key leaks, your existing users will be at chance until they reinstall the app or move to a new device.

Please note that the current fundamental upgrade process does not take advantage of the key rotation feature introduced in Android ix (Pie) and above. Nosotros are currently investigating back up for cardinal rotation using app signing v3 for devices on these Bone versions and will let the developer community know in one case it'southward ready in a separate announcement.

four. The upload key I used for signing my artifacts was stolen. What are my options?

Without Play App Signing: There is no concept of a separate "upload key", then if your release signing key leaks, you could be in big trouble: someone could create malicious or unauthorized versions of your app that would be indistinguishable (and updateable!) from your original APKs.

Of course, Google account protection applies to Google Play Console access (and we recommend developers enable 2-stride verification), so the attacker would withal accept to notice a fashion to trick a user into sideloading such a modified APK. Nevertheless, your app's security is weakened.

Refer to the question 3. above almost a compromised app signing cardinal to see what kind of remediations are available, including fundamental upgrade for new installs.

With Play App Signing:
If your upload key is dissever from your app signing key (which I cannot recommend highly plenty), and the upload cardinal is the one that leaked, that means your users' data is safe — the upload cardinal is not plenty for an attacker to be able to impersonate APKs signed with the app signing primal. Only request a new upload key.

If you connected to use your app signing key for uploading to Play when you first enabled app signing, and that app signing key leaked, you are in a scrap of a worse situation, but app signing tin can still remedy the trouble. Follow the communication on how to upgrade your fundamental for new installs.

5. I enabled Play App Signing for my app, but I changed my mind and would like to download the app signing primal that is stored on Google's infrastructure.

Information technology's non possible for you, or anyone else on your developer account, to download and save the individual central for your app that'southward stored on Google's secure infrastructure. This is to ensure the protection of your app signing key.

If you lot foresee a state of affairs in which you lot volition demand continued admission to your app signing key, you should do the following when enabling app signing:

• Do non select the selection for Google Play to generate the app signing primal for you. Generate your signing primal locally on your machine instead.
• Securely transfer your key to Google Play, and exercise not delete it from your machine.
• Proceed the central secure, ensuring it doesn't leak to third parties.
• Make sure to create and examination backups of your fundamental regularly, as you will non exist able to download it from Google in case you lose it.

These steps are explained in the documentation. Look for the instructions on how to "opt in for an existing app" to see how to encrypt your signing key to upload it to the Google Play Console from Android Studio or the command line.

If you are absolutely certain you lot will not demand continued admission to your private app signing cardinal, we recommend that you either let Play generate your key (for new apps) or that you delete your copy later transferring information technology to Play, and switch to using an upload key.

The upload key tin can be reset, and it doesn't compromise your users' security in case it leaks.

six. How can I be sure my private key is not intercepted when I transfer it to Google Play?

If yous're enabling app signing for a new app and select the option to generate a new primal in Google Play Console, the cardinal is never transferred and is generated directly on Google'southward secured server, so you're all set.

If you need to transfer your existing signing key (optionally for new apps and mandatory for existing apps), yous ever do that in encrypted form. Whether you export the fundamental from Android Studio or from the command line, you lot will employ the Play's Encrypt Private Key (PEPK) tool locally on your auto before transferring the key.

In example you lot need to know details of the encryption used, PEPK uses P256 Elliptic Bend asymmetric encryption with AES symmetric encryption. If you lot demand to inspect the tool farther and get more details, we give you lot the opportunity to download the PEPK tool and its source code during the app signing sign upwardly flow.

Feel free to review or compile it yourself, so that information technology tin be run in your own secure environs, ensuring that the unencrypted central is never exposed.

Only use versions of PEPK downloaded from the Google Play Console, never download it or its source from unverified third-party websites.

vii. How is the key protected at rest on Google's infrastructure? How can I be sure no one is accessing it?

When you use Play App Signing, your keys are stored on the same infrastructure that Google uses to store its ain keys.

Key access is governed by strict ACLs and tamper-axiomatic audit trails for all operations.

All artifacts generated and signed with the developer'southward fundamental are made available to you in the Google Play Console for inspection/attestation.

Furthermore, to prevent primal loss, nosotros make very frequent backups of our main storage. These backups are strongly encrypted and we regularly test restoring from these backups.

If you lot want to learn almost Google's technical infrastructure, read the Google Cloud Security Whitepapers.

8. I require a public certificate to sign up for external services, but I don't accept access to my key. What can I do?

If you want to employ services or APIs that require signing up with a hash of the public certificate of your application, you tin view or download the public certificate fingerprints from the Google Play Console's "App signing" department:

Remember to e'er utilise these fingerprints when enabling services for the release versions of your app, and non the ones derived from your upload fundamental.

Most services allow yous to enable multiple certificates for your application, so you can continue testing with locally congenital APKs, as well as APKs generated by Google Play.

nine. Are artifacts that Google Play distributes to users of my app any unlike from the ones I build locally, other than the key used to sign them?

Every bit stated earlier, Play will not modify the functionality of your awarding without your knowledge and approval. It does withal insert a minuscule corporeality of metadata that helps with verifying the source and integrity of the distribution. This metadata comes in ii flavors:

• For all apps uploaded to Google Play, Play has been calculation security metadata after the signing block to enable features such as authorized P2P app sharing. We appear this originally in a web log post in 2017.
• For apps uploaded as app bundles, we will improve this security by introducing what is called a source postage stamp. This source metadata is inserted into the app's manifest by bundletool. When the APK is generated on Play's server, it's also signed with a Google key in improver to your app signing key.

This means the security metadata cannot be removed or tampered with without invalidating the Google signature. This gives a loftier conviction signal that unmodified APKs containing the source stamp must have come from Google Play.

Yous can apply the open-source bundletool locally to generate APKs from bundles in the same way Play does on the server. The source stamp metadata added past bundletool will not exist signed by Google's key. Other source signatures will be possible when ApkSigner is updated with the next Android release.

10. How can I access the final artifacts that Google Play distributes to users of my app?

There are multiple options available to y'all:

• For testing purposes, y'all can use an internal app sharing link for any historical version of your app from the Google Play Console's app bundle explorer. Tapping the link on a device volition install the APKs that the Play Shop would install in prod for that device.
• Yous tin also download signed, device-specific APKs from the Google Play Panel'south app bundle explorer.

eleven. How can I go on distributing my app to other stores if I desire to use Play App Signing?

It's entirely possible to distribute apps in multiple ways and through unlike channels. There are a few considerations that you have to keep in heed, depending on if it'southward a new or existing app:

For new apps, you can use separate signing keys for each distribution aqueduct, and let Google generate the key used by Google Play for you. This is the most secure way for apps distributed on Play, every bit the key never leaves Google's servers and minimizes the chance that someone intercepts the central to nigh nothing.

Alternatively, if you don't want to manage multiple keys but still do good from the full security of Play App Signing, you lot will before long exist able to download signed universal APKs from the app bundle explorer and distribute them to other stores.

For existing apps, if you're already using a unmarried fundamental for different stores, y'all can keep doing this if you lot wish. You lot'll be asked to upload the existing key when enabling app signing on Google Play.

Optionally, you lot can consider the key upgrade functionality mentioned earlier in this FAQ to motility away from sharing the key used by Google Play with other distribution channels over time.

At that place is one caveat that comes with the in a higher place communication: please notation that if you lot decide to use separate signing keys for unlike stores, your users volition not exist able to cross-update the app between different distribution channels, such every bit when someone has originally installed the app through another shop and then tries to update it through Play. They will need to uninstall and install the awarding again.

12. I'yard busy working on features and all of this sounds similar a lot. Exercise I have to switch to Android App Bundles or utilize avant-garde features like dynamic delivery?

No, you don't have to practice everything at in one case.

Y'all can opt in to Play App Signing and continue publishing APKs for the fourth dimension beingness. When yous're ready, you can offset publishing Android App Bundles.

Publishing with an app bundle is straightforward for build systems which support it and automatically brings size reduction benefits for about apps.

Over time, you can accept reward of avant-garde features such as dynamic delivery. For apps, you tin can modularize your app with dynamic feature modules to improve build times and have advantage of customizable commitment. Games can use dynamic asset delivery to evangelize high quality assets either at install time or post install with customizable delivery modes and smart targeting options.

If you'd like to starting time using app signing, merely your management or security teams need an explanation of the benefits and caveats of app signing, please experience free to forward the questions and answers to them. Feel free to add questions in the comments, I'll exercise my best to find answers for you if possible!

sparkgragairehe36.blogspot.com

Source: https://medium.com/androiddevelopers/answers-to-common-questions-about-app-signing-by-google-play-b28fef836af0

Share this post