Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Deployment and upload key for Google Play - how to use them with Cordova

I have created a Cordova hybrid app and somehow managed to sign them for Google Play, starting the process with two commands:

1. keytool ...
2. cordova run android --release keystore==... password=...

After uploading the signed app on the google console and opting for their upload key, I got access to two certificate files: deployment_cert.der and upload_cert.der, and their "hash-codes". This makes me pretty confused. What should I do with them? How can I use them to sign the app for Google Play? (I only use JavaScript for the project, and Cordova commands. Do I need Java or something?)

What makes me even more perplexed is the fact that I was able to ignore those certificates and launch the app on Google Play using just the original keystore (by repeating the command 2 above). So did I sign the app with the upload key? I don't believe so. And how could I?

like image 349
Coatl Avatar asked Mar 28 '18 23:03

Coatl


1 Answers

When you enrolled your app in the Google Play App Signing program, you let Google create and own the private key that will be used to sign the APKs that get delivered to the end users (i.e. the deployment key).

The private key that you used to sign the APKs you first uploaded to the Play Console is what Play calls the upload key. This is the key that you will need to use to sign all future APKs you upload to the Play Console. What the Play Console does is that it looks at the first APK you upload, extract its certificate, and will verify for every future uploads that the APK uploaded matches the same certificate.

The certificates being displayed in the App signing page are just there for informative purposes. The upload certificate is the certificate associated with the private key you used to sign your APK, and the deployment certificate is the certificate associated with the private key that Play Console created and uses to re-sign the APKs. You only need these hashes if your app uses a third-party API that requires authentication to register your app with that third-party service.

I hope that clarifies it a bit.

The official documentation can be found here: https://support.google.com/googleplay/android-developer/answer/7384423

like image 107
Pierre Avatar answered Nov 15 '22 07:11

Pierre