Page 1 of 1

How do we sign an Android App created with SB?

Posted: Fri Jun 09, 2017 2:00 pm
by IdeasVacuum
Reading this: Sign Your App Android Studio I am a bit surprised - it seems you do not have to buy a certificate from a 3rd party as you would for Windows applications.

However, since we are not using Android Studio to build our apps, how do we sign them?

Re: How do we sign an Android App created with SB?

Posted: Fri Jun 09, 2017 2:12 pm
by Peter

Re: How do we sign an Android App created with SB?

Posted: Fri Jun 09, 2017 2:45 pm
by IdeasVacuum
Thanks, Peter. No relation to a javascript expert of the same name perchance?

Re: How do we sign an Android App created with SB?

Posted: Sat Jun 10, 2017 5:40 am
by tj1010
Google applies other signing later after the apk passes Play Protect scanning. You just do your own signature locally with JDK as a form of identifier.

Apple is the only one charging for signing and store publishing. Which is especially annoying considering it takes 400 USD or euro designer x86 hardware to use xcode..

Re: How do we sign an Android App created with SB?

Posted: Sat Jun 10, 2017 9:54 am
by IdeasVacuum
Hi tj1010

I think it is preferable to manage the keys oneself:

Image

Shame though that there is no choice but to make the app available via the Google store.
1) I like to QA sans debug before release;
2) I have my own store that customers know and trust - it's preferable to send them there where my other apps might prove interesting at the same time - in the Google store, a competitor app might catch their eye instead.

Re: How do we sign an Android App created with SB?

Posted: Sat Jun 10, 2017 12:23 pm
by tj1010
I thought Google signed on the back-end but they don't. There is just the opt-in Play Store key, and in 7.0+ v2 signing scheme that uses block-hashing instead of whole-hashing. It still goes through Play Protect A.I. though before getting listed.

You can disable trusted apps on all versions of Android, but signing is at least half of their security model; the other half being containers and service API. I can disable it and transfer unsigned APK from SB over HTTP, BT, FTP, Mass Storage USB etc..

EDIT: I wrote a GUI for keytool a while back. I never did the JSON based parameter so there is still some manual-process to it. http://forums.spiderbasic.com/viewtopic ... t=10#p3414