Upcoming change to the Android build pipeline

Android Application Bundles (AAB files)
We recently added support for Android Application Bundles (.aab files). This is the new and recommended way for app distribution on Google Play. AAB files can not be directly installed on an Android device and must before installation be converted into an APK file. This is handled automatically by Google Play. Using AAB files has several advantages:

  • Google Play optimizes the APK for the target device before installation. This usually results in a slightly smaller install for the end-user.
  • The maximum size of an AAB file is 150 MB, as opposed to 100 MB for an APK.

Android Package Kit (APK file)
For local development you still want to use APK files as those can be installed directly onto a device. Defold has up until now had its own build pipeline for APK files with a custom tool for signing the APK. The problem with the old pipeline is that APKs were signed using an old APK signature scheme. The old signature scheme is less secure and it prevents development of things such as Google Play Instant application.

Unified build pipeline
With the AAB signing in place in Defold we will migrate from our old custom build pipeline to solve the issue with the old signature scheme. Starting with Defold 1.2.173 we will generate APK files using the same build pipeline as we use for AAB files. When you build an APK using the editor or bob.jar we will first create an AAB file and from the AAB file generate a universal APK suitable for installation on any supported Android device.

What does this mean for you?
This change will have one implication for you as a developer when it comes to signing your applications. You will no longer be able to sign your applications using a certificate (.pem file) and key (.pk8 file). Signing applications must be done using a Java keystore file (*.jks file). This has been the standard way of signing Android applications for a long time and with this change to the Android build pipeline we finally have to adapt and start using keystore files.

You can convert your .pem and .pk8 file into a keystore file using a script, like this:

#!/usr/bin/env bash

KEY=$1		# .pk8
CERT=$2		# .pem

if [ -z ${KEY} ]; then echo "You must provide a pk8 key"; exit 1; fi
if [ -z ${CERT} ]; then echo "You must provide a pem certificate"; exit 1; fi
if [ -z ${PASS} ]; then echo "You must provide a keystore password"; exit 1; fi
if [ -z ${ALIAS} ]; then echo "You must provide a keystore alias"; exit 1; fi

rm -f ${KEYSTORE}

echo "Creating ${KEYSTORE}"

# convert binary key.pk8 to key.pem
openssl pkcs8 -inform DER -nocrypt -in ${KEY} -out key.pem

# bundle key and cert into a pkcs12 file
openssl pkcs12 -export -in ${CERT} -inkey key.pem -out cert.p12 -password pass:${PASS} -name ${ALIAS}

# import pkcs12 file into a keystore
keytool -importkeystore -deststorepass ${PASS} -destkeystore ${KEYSTORE} -srckeystore cert.p12 -srcstoretype PKCS12 -srcstorepass ${PASS}

# cleanup
rm key.pem
rm cert.p12

echo "Done!"


$ > convert.sh defold_key.pk8 defold_cert.pem MySeCrEtPaSsWoRd defold

This will create a keystore named generated.jks containing the provided key and certificate. The key and certificate will be associated with the alias defold and protected by the password MySeCrEtPaSsWoRd.

When you bundle your application in Defold using 1.2.173 (using editor or bob.jar) you need to provide the keystore (*.jks file) and a text file containing the the keystore password.


It should be mentioned here that the editor (on Mac at least) allows you to select the exported .jks file but will display “Invalid keystore” and not allow a build. For it to work the file must be named *.keystore.

This is a bug. Thank you for spotting it!

1 Like

Fix has been pushed to editor-dev. It will show up as an update in about 15-20 minutes or so.

Including the info on conversion would be useful to include in the docs. Or link to this thread from there.


The Android signing process in Defold changed in version 1.2.173 from using a stand-alone key and certificate to a keystore.

That block of text could include a link to this thread for easier reference for anyone who has not converted yet.

1 Like

Related to this, I have a problem with having an old key/cert that were passwordless and I’m unsure of how to convert them / update them to add a password and then convert them to jks.


Got it I think?

openssl rsa -aes256 -in key.pem -out new_key_aes256.pem

Then it asks for a passphrase. Will test…

Importing keystore cert.p12 to generated.jks...
Entry for alias subsoapandroid successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

Seems to work. I have a generated.jks now!

Opening that with KeyStore Explorer and entering the new password works to show the old info that was originally in the old files.

Worked to make an APK. Will test uploading to Google Play soon.


Good point. I’ve added a link. Should be visible in a few minutes.

1 Like