General question: AIR app signing by Google Play

[Oldes]

Hi there,

I'm close to release a new app into Google Play and as usually, there is so many changes since I went last time through this. I wonder if you use Google Play's app signing and if so, what is the right way to get it working with AIR development process?

Thanks for any info!
Oldes

[Oldes]

It looks that I'm not alone who has the same problem, as there are questions like:
https://stackoverflow.com/questions/45753212/convert-der-certificate-to-p12
or https://stackoverflow.com/questions/59191161/create-p12-certificate-for-an-adobe-air-android-app-to-upload-to-google-play

The problem is, that certificates from Google Play (deployment and upload) contains only public keys.. @ajwfrost I wonder if it is possible to use these DER files to sign the app using ADT?

[FliplineStudios]

Personally I've only ever used my own p12 certificate, and haven't opted in to Google's app signing for any releases. Using Google's signing isn't a requirement for uploading APKs (and haven't seen anything definitive from them saying it would be at any specific point). I believe right now using Google's signing is only required for aab bundles, but those aren't working quite right yet with AIR anyway as it's still experimental in AIR 33 (and also are not a requirement for Google Play uploads).

If there isn't a good solution yet for AIR and DER files yet, at least uploading separate APKs with a self-signed certificate still works fine for now for Google Play.

[Dimensionscape]

The DER is just your public certificate..... It does not contain a private key. You can simply create a self signed certificate, sign your apk and upload.

Cmon guys, this is an issue tracker, not a public forum. Direct these kind of comments/questions to adobe forums or starling forums.

[Oldes]

It looks that I solved it using steps described on this page:
http://tigar.nl/2018/05/15/android-app-signing/

Which are (in case that the page disappear):

1. Create a keystore and add a signing key using Android Studio
2. Sign the app using the key created in (1)
3. Upload the APK to Google Play
4. Download “Upload certificate” from Google Play Console
5. Add downloaded certificate to the keystore created in step (1) using command:
   keytool.exe -importcert -file upload_cert.der -keystore <keystorefile>
6. It should prompt that “Certificate already exists in keystore under alias . Do you still want to add it? [no]:”
7. Type ‘y’ and press enter
8. A confirmation message will appear
9. For subsequent builds sign the app using the same process as in (2)

In my case I was not using Android Studio in step (1), but used Flash Develop's CreateCertificate.bat, which actually calls adt:

adt -certificate -validityPeriod 25 -cn %AND_CERT_NAME% 2048-RSA "%AND_CERT_FILE%" %AND_CERT_PASS%

As this outputs .p12 file, I used keytool:

keytool -importkeystore -srckeystore MY_APP_NAME.p12 -srcstoretype pkcs12 -destkeystore MY_APP_NAME.jks -deststoretype jks -deststorepass MY_NEW_JKS_PASSWORD

As the keytool command from step (5) was producing warning: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format, I converted the resulted JKS file to a different format using:

keytool -importkeystore -srckeystore MY_APP_NAME.jks -destkeystore MY_APP_NAME.jks -deststoretype pkcs12

Since then I'm using this JKS file with ADT with something like:

adt -package -target apk-captive-runtime -storetype jks -keystore ./MY_APP_NAME.jks -storepass MY_NEW_JKS_PASSWORD ...

[Oldes]

Although the above solution may not be enough as I'm not able to sign in to Google Play Services (as I used to be with older games) (getting: com.google.android.gms.common.api.ApiException: 4) :-/

But maybe it is just because the app is currently being processed on Google (which can take more than 7 days!) and I wanted to test the app using side-loading.

[bphd]

E/Finsky (): [173] uks.a(849): Encountered exception whilst fetching from GMS, deferring to Finsky: com.google.android.gms.common.api.ApiException: 17: API: IntegrityApiDisplayListener.API is not available on this device. Connection failed with: ConnectionResult{statusCode=API_DISABLED, resolution=null, message=null}

[rewb0rn]

We are using Google Play to sign our APKs now for the new games. It is quite nice because you do not have to worry about the validity of your key anymore. But there is one caveat / pitfall:

• Note that your signature changes AFTER your app has been published by Google. This is important if you use 3rd party services like Facebook, where you have to enter a Base64 SHA signature of the app, for example. So this signature changes after you published the app.

In our case the Facebook login did not work for our users until we realized what happened and we added the new key to Facebook. You can find the new signatures in the Google Play dashboard. So maybe this is the problem for your GP Services?

[httpwebmedia]

Does anybody successfully update the signing certificate? I have the following issue:
Back in 2013 I created a self signed certificate using rsa 1024. Now that no libraries using java support these certificate encryption level, I can't package my apk using new cert with my old app on google play.

Does someone have the solution ?

[ajwfrost]

@httpwebmedia if you have a 1024-bit certificate, you need to use the first release of Java 8. This one still supports the old certificates but has the newer language support required...

[httpwebmedia]

Well my problem right now is I mostly rely on distriqt native extensions and I think their latest updates make the use of old self signed cert unuseful... maybe I should addresd the issue to @marchbold from distriqt. I wonder if someone had the same issue and how do they solve it ? I have important apps that use the old 1024 encoding cert and some days I wont be able to update them... ⁣Télécharger BlueMail pour Android ​ Le 17 sept. 2020 à 18:44, à 18:44, Andrew Frost <notifications@github.com> a écrit:

…

@httpwebmedia if you have a 1024-bit certificate, you need to use the first release of Java 8. This one still supports the old certificates but has the newer language support required... -- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: #273 (comment)

[marchbold]

@httpwebmedia Nothing in our extensions restricts the usage of the certificate you are using to sign your application. You sometimes have to provide the signature of the certificate for identification purposes to services (eg Facebook or Play Games) but this is independent.

[httpwebmedia]

After all I think it's because of Animate it uses latest JAVA versions. I found a workaround but I'm still facing the same problem cause some days I wont be able to support my old apps.

From my understanding, I need to optin to Google Play App Signing service so they keep the private key certificate but how do we compile the apk with an upload key which use rsa 2048 encryption level?