Does the app signature hash change for an app after it's been uploaded to the Google Play Store in the form of an app bundle?

Question

It seems to me as if the signature is the same as the one generated from the certificate used to sign the APK file, but when the app is uploaded in an app bundle (AAB file), does the signature change (and when)? or is it permanent even if I use a different upload key when signing the ABB file?

As a side note, I'd like to check the calling package in a content provider so that the app would only allow access to certain apps that have the right signature hash, my guess is that I would need to have the list with all authorized signature hashes publicly available somewhere for the app with the content provider, since I don't know beforehand how many apps would need access. So, I most likely would need a way to get the new signature for each app in case that it changes at some point.

Answer 1

If you are checking the authenticity of your app you should use the hash of the signing certficate. Any app using Android App Bundle is also opted in to Play Signing.

You can find the hash of the certificates your app will be signed with under play signing. Instructions are in the "New apps" section in step 3, "Register your app signing key with API providers":

• Sign in to your Play Console.
• Select an app.
• At the left menu, select Release management > App signing.
• Copy the fingerprints (MD5, SHA-1 and SHA-256) of your app signing certificate.