Change in Google Play: Choose signing key

Scripture App Builder
1

Introduction

There has been some confusion over this new dialog showing up in the process for publishing apps to Google Play.

App bundles - choose signing key
App bundles - choose signing key692×354 23.4 KB

When you click on the “Choose signing key” link, you get this dialog.

Choose signing key dialog

TL;DR

To get the previous behavior, click on “Choose signing key” and then choose “Use Google generated key” from the dialog.

Background

Google Play has been requiring new apps to use Google Play signing and publish Android App Bundles (AAB) instead of APKs. This allows Google to deliver an app to an Android device with just the resources needed for that device (based on the processor, screen size, and version of software).

It is important to understand what is in a keystore and how key signing works. A keystore includes a private key and public key. The private key does not leave your computer. The Android app is signed by a private key and Google and extract the public key from the AAB or APK.

For each app, Google Play maintains copies of two public keys. You can see these by looking at Setup > App signing section (and selecting the App signing tab) The two key certificates are:

  1. App signing key - this is the certificate for the app signing key that Google uses to sign the release.
  2. Upload key - this is the certificate that identifies you and the authorized party to upload a new release.

At the point in time when Google required Google play signing and publishing AABs for new apps, when you uploaded the AAB for the first time, Google would do these two things related to keys:

  1. Create a new private key and public key for signing the app releases
  2. Save the public key from the AAB to use for the upload key

From then on, you would continue to use the same keystore to sign the app for upload. Google would use the generated private key to sign the release of the app sent to the phones.

So what is new?

Now Google is give you the choice to use a Google generated key (as it did before) or to choose your own key to use. There is no harm to using the Google generated key.

Would this affect transferring the app later?

As far as I can tell, the Play signing private key is associated with the app, not the account. It seems to me from the Play Console Help and Stackoverflow post that the key transfers with the app.

1 Like