How do we sign an Android App created with SB?

Everything else that doesn't fall into one of the other categories.
IdeasVacuum
Posts: 143
Joined: Tue Feb 25, 2014 1:27 pm

How do we sign an Android App created with SB?

Post by IdeasVacuum »

Reading this: Sign Your App Android Studio I am a bit surprised - it seems you do not have to buy a certificate from a 3rd party as you would for Windows applications.

However, since we are not using Android Studio to build our apps, how do we sign them?
User avatar
Peter
Posts: 1086
Joined: Mon Feb 24, 2014 10:17 pm
Location: 127.0.0.1:9080
Contact:

Re: How do we sign an Android App created with SB?

Post by Peter »

IdeasVacuum
Posts: 143
Joined: Tue Feb 25, 2014 1:27 pm

Re: How do we sign an Android App created with SB?

Post by IdeasVacuum »

Thanks, Peter. No relation to a javascript expert of the same name perchance?
tj1010
Posts: 201
Joined: Wed May 27, 2015 1:36 pm
Contact:

Re: How do we sign an Android App created with SB?

Post by tj1010 »

Google applies other signing later after the apk passes Play Protect scanning. You just do your own signature locally with JDK as a form of identifier.

Apple is the only one charging for signing and store publishing. Which is especially annoying considering it takes 400 USD or euro designer x86 hardware to use xcode..
IdeasVacuum
Posts: 143
Joined: Tue Feb 25, 2014 1:27 pm

Re: How do we sign an Android App created with SB?

Post by IdeasVacuum »

Hi tj1010

I think it is preferable to manage the keys oneself:

Image

Shame though that there is no choice but to make the app available via the Google store.
1) I like to QA sans debug before release;
2) I have my own store that customers know and trust - it's preferable to send them there where my other apps might prove interesting at the same time - in the Google store, a competitor app might catch their eye instead.
tj1010
Posts: 201
Joined: Wed May 27, 2015 1:36 pm
Contact:

Re: How do we sign an Android App created with SB?

Post by tj1010 »

I thought Google signed on the back-end but they don't. There is just the opt-in Play Store key, and in 7.0+ v2 signing scheme that uses block-hashing instead of whole-hashing. It still goes through Play Protect A.I. though before getting listed.

You can disable trusted apps on all versions of Android, but signing is at least half of their security model; the other half being containers and service API. I can disable it and transfer unsigned APK from SB over HTTP, BT, FTP, Mass Storage USB etc..

EDIT: I wrote a GUI for keytool a while back. I never did the JSON based parameter so there is still some manual-process to it. http://forums.spiderbasic.com/viewtopic ... t=10#p3414
Post Reply