Google Play App Signing

During Google I/O ‘17, Google officially announced the new Android App signing technique. It feels pretty nifty and I personally would be happier signing our apps that way instead of having private keys on Jenkins servers.
Now it is a non opt-out solution so before I enroll I want to make sure that this works for bob when signing.
I guess it hasnt really been tried out yet and I’m not sure if the upload key would work as key using bob atm.
Have anyone tried it?
May I request support for this?

EDIT: link: https://developer.android.com/studio/publish/app-signing.html

Only difference that I have noticed is that with new system, If you lose your keys, you are able to change them. That was not possible with old system. You will still need keys on your server to be able to upload the build. I have not used your approach, but from theoritical point of view there should not be any reason why you cannot activate the new system. If you are unsure, create a Test app and test the new signing with it before activating it with already existing one.

1 Like

Ok, so this is two different takes/questions to this.
The way Google is describing it (and the preferable way for me to do it) is to not at all use the private app sign key to sign an app on our end. Instead we use the upload key provided by Google. Google themselves will sign our app on their end with my app sign key. That’s the whole point of storing the key by them at the first place.
It was more a question if bob accept this new upload keys when signing on my end.

The other question this is if enrolling to this service, Google will accept both ways of signing or only accept uploads keys from our end (enforcing the new App Signing Tech). Well I guess that is a question better asked at a Google forum.

Just wanted to ask and not pollute my account with a test app if anyone already tried it out and know the answers.

My answer was based on experience of using both methods. You will still need upload key to validate your build. With new system you just are able to change upload key if you lose it or it is compromised.

I do not know. Bob still expects a .pem and .pk8 file. If Google provides a .keystore then it’s possible to get the .pem and .pk8 from that and vice versa.

Thank you for your answer @Seepia. I will take it that you have got it to work with bob.jar and not in android development in general.
It will be a .keystore file so I guess it shouldn’t be a problem in the end.

http://keystore-explorer.org/index.html can do the converting probably.

1 Like

What I try to tell is that from upload point of view, two different methods that Google Play store accepts for signing are identical. If something works with first, it should work with the second as well :). I have not used bob.jar. We have not automated our Defold builds yet. It is of-course possible that automation brings something to the picture that I don’t know.