More Details About App Signing Key Management

May 18, 2017 - Written By Daniel Fuller

Google announced some changes to key signing management for Google Play app developers on the first day of this year’s Google I/O, and now they’ve made changes to their support page for Google Play developers to reflect those announcements. Developers can store and administer their own keys through the Developer Console, or hand those responsibilities over to Google. The kicker with having Google manage the keys, however, is that developers cannot go back to managing their own keys for a given app once they’ve given the keys to Google. There are detailed instructions for both on the support page, of course. Google also includes a handy guide to various terms related to Google Play app signing.

Managing your own keys or continuing to do so is a simple enough affair; Developers simply upload a given APK in signed form. Developers that want to have Google manage their keys for them follow a similar process for brand new apps, but will have to opt in to the program first. They upload the signed APK, then Google rips out their signature and replaces it with an original key file generated from the signature. To get an existing app into Google’s app signing ecosystem, developers have to first opt that app into the program, then upload a clean copy of the app alongside the signing key in a separate file. Google will verify everything and store the key in their server. From there, the developer simply updates all their key stores to the new key that Google has, and signs an update to the app with that key. From there, Google will handle signing and key distribution. Developers can download a copy of the Google-signed APK from their developer console.

Google also gives a quick primer on some terms that developers should know. An app signing key is the original key held by the developer on their machine, an upload key is the one generated when handing the app over to Google for signing, the private key is used for APK signing, and the public key is what the users see if they decompile an APK. A certificate, meanwhile, bundles some identifying information with the public key. Finally, the┬áPlay Encrypt Private Key tool is what’s used to encrypt and decrypt keys while transferring them to and from Google’s servers.