What is the difference between App Signing Key and Upload Signing key for Google Play Android Apps

Question

I am using a simple TWA (a Website with PWA supported packaged into a native Android app) with bubblewrap. In order to get this TWA working properly it must have an assetlinks.json file including the sha256 fingerprint of the signing key uploaded to the webserver.

There seem to be two keys for signing: An app and an upload key.

1. If I release the app via playstore, the TWA want to see the app key
2. If I just install the local apk file it expects the upload key

Also different key tools will output different keys:

1. Bubblewrap seems to use the App Key: bubblewrap/bubblewrap fingerprint generateAssetLinks
2. Google Play seems to use the App Key as well.
3. The keytool seems to use the upload key: keytool -printcert -jarfile app-release-signed.apk | grep SHA256

Now I am wondering if I missunderstand something. Why does the local apk file expects a different key than the playstore release? Is it safe to upload both shasums to the assetlinks.json file in order to allow playstore releases and local testing?

Answer 1

So it took me some time to understand the whole process and also to find the correct documentation.

1. I highly recommend reading the documentation
2. The app key is used for Google Play releases and the upload key for local apk files.
3. It is safe to integrate both into the assetlinks.json file, also explained in the documentation
4. For local testing and google play releases at the same time it is required to have both keys listed in the file
5. The keys can be obtained from the 3 locations mentioned in the question
6. It might take some time that your device will recognize the update of that file. It is cached by google.

Also interesting to hear from a google developer:

Having both fingerprints in your asset link file is definitely more convenient, and it's something that I personally do. However, my TWAs are for testing, so I'm not too concerned about security implications.

The downside is that you increase your attack surface - if someone steals your debug key (which is probably sitting unencrypted, with some default password on your computer) they could claim to be associated with your website (and intercept links to it from their app).