Enabling App Signing for a New App

Before You Start

Create an app in AppGallery Connect.

Choosing a Way to Manage Your Signature Key

For new apps, AppGallery Connect provides two methods of signature key management.

1. Sign in to AppGallery Connect and click My apps.
2. Click the name of the app that you need to sign. Then go to Distribute > Services > App Signing.
3. If you use App Signing for the first time, an app signing service agreement is displayed, and you need to sign the agreement to use the service.
4. Select a signature mode based on whether to use your own signature key for the APK to be released.
   注意

   If you have enabled the App Signing service, a message will be displayed, indicating that the app has been added to the app signature plan.

   

   • If you select Method 1: AppGallery Connect creates and manages signature keys, AppGallery Connect will generate a new signature key for you and use it to re-sign your app. When updating your app, you only need to use the upload key to sign the updated app package, and then submit the package for release. This mode is recommended for new app release. For details, please refer to Letting AppGallery Connect Create a Signature Key.
     注意

     • If you have uploaded an app package, this option is not displayed. If you want to use this mode for an app, you need to create an app again.
     • To ensure signature key security, AppGallery Connect does not allow you to view or export a newly generated signature key. However, you can export the key certificate of a signature key. If you want to use the same signature key in multiple app markets, or use a signature key for signature verification when interconnecting your app with a third-party platform, select method 2.
   • If you select Method 2: AppGallery Connect only manages the signature key you upload, AppGallery Connect will re-sign your app using the signature key you upload. When updating your app, you only need to use the upload key to sign the updated app package, and then submit the package for release. For details, please refer to Uploading a Signature Key by Yourself.

Letting AppGallery Connect Create a Signature Key

Submitting the Certificate of the Upload Key

If you select Method 1: AppGallery Connect creates and manages signature keys, you need to submit the certificate of the upload key to AppGallery Connect.

1. Generate a signature file that contains the upload key. Taking Android Studio as an example. You can go to Build > Generate Signed Bundle/APK in your Android Studio project, choose whether to generate a signature file for an App Bundle or APK package, and configure signature file information.

   

2. Run the cmd command on your PC to open the CLI, go to the bin directory where the JDK is located, and run the following command to generate the certificate (in PEM format) for the upload key:

   keytool -export -rfc -keystore upload-keystore.jks -alias upload -file upload_certificate.pem

   Replace the italic and boldfaced content in the command with the actual values.

   • upload-keystore.jks: signature file that contains the upload key.
   • upload: alias of the signature file.
   • upload_certificate.pem: generated certificate of the upload key.
3. Click Browse and select the generated key certificate.

   

4. Click Submit in the upper right corner to submit the certificate of the upload key to AppGallery Connect, which will generate a signature key for you.

Configuring the New Certificate Fingerprint

The App Signing service generates a new certificate fingerprint, which may be different from that generated locally when you develop your app. If the services you are integrating need to depend on the SHA-256 certificate fingerprint, you need to add the new SHA-256 certificate fingerprint after app re-signing for your app.

1. Sign in to AppGallery Connect and click My apps.
2. Click the name of the app that you need to sign. Then go to Distribute > Services > App Signing.
3. On the App Signing page, click next to the SHA-256 certificate fingerprint in the App signing certificate area.

   

4. Go to My projects > Project settings > General information > App information, click Add next to SHA-256 certificate fingerprint, paste the SHA-256 certificate fingerprint that is just copied, and click Save.

   

Releasing an App

1. Use the upload key to sign the app package and upload the package.

   After you upload an app package, AppGallery Connect will verify the identity information in the app package by using the certificate of the upload key. If the verification is successful, AppGallery Connect will re-sign the app using the signature key it has generated. Re-signing will take several minutes.

2. Complete the app release information and release the app.

Uploading a Signature Key by Yourself

Submitting the Signature Key

If you select Method 2: AppGallery Connect only manages the signature key you upload, you need to use the pepk.jar tool to generate a .zip file that contains the signature key and upload the .zip file to AppGallery Connect. For higher security, you can also submit the certificate of the upload key. You are advised to use an upload key different from the signature key. If you do not submit an upload key, you need to use your signature key as the upload key.

1. Generate a signature file that contains the signature key. You can go to Build > Generate Signed Bundle/APK in your Android Studio project, choose whether to generate a signature file for an App Bundle or APK package, and configure signature file information.

   

2. Obtain the pepk.jar tool from the Internet or another legitimate source.
3. Place the signature key file (.jks file) and files extracted from pepk.jar in the bin directory of the JDK.
4. Run the cmd command to open the CLI, go to the bin directory of the JDK, and run the following command to pack and encrypt the signature file of the signature key:

   java -jar pepk.jar --keystore sign-keystore.jks --alias sign --output=sign.zip --encryptionkey=034200041E224EE22B45D19B23DB91BA9F52DE0A06513E03A5821409B34976FDEED6E0A47DBA48CC249DD93734A6C5D9A0F43461F9E140F278A5D2860846C2CF5D2C3C02 --include-cert

   Replace the italic and boldfaced content in the command with the actual values.

   • sign-keystore.jks: signature file of the signature key.
   • sign: alias of the signature file.
   • sign.zip: generated .zip package of the signature key.
   • encryptionkey: public key used for encryption. Use the fixed public key in the command.
5. Click Browse and select the .zip package generated in step 4.

   

   说明

   Steps 6 to 8 are optional. For higher security, you can manually upload a new upload key different from the signature key. If you do not upload an upload key, AppGallery Connect will use the uploaded signature key as the upload key by default to verify your identity information.

6. Generate a signature file that contains the upload key. The upload key must be different from the signature key.
7. Run the cmd command to open the CLI, go to the bin directory where the JDK is located, and run the following command to generate the key certificate (in PEM format) for the new upload key:

   keytool -export -rfc -keystore upload-keystore.jks -alias upload -file upload_certificate.pem

   Replace the italic and boldfaced content in the command with the actual values.

   • upload-keystore.jks: signature file that contains the upload key.
   • upload: alias of the signature file.
   • upload_certificate.pem: generated certificate of the upload key.
8. Click Expand, click Browse, and select the certificate of the upload key.

   

9. Click Submit in the upper right corner to submit related files to AppGallery Connect.

   AppGallery Connect verifies the uploaded signature key in the following sequence:

   1. Check whether the encryption algorithm and key length of the signature key are supported. If not, a notification is displayed, indicating that the uploaded signature key is not supported and you need to upload another one.

      For details about the encryption algorithms and key lengths supported by AppGallery Connect, please refer to Restrictions.

   2. Check whether the signature key is a pair of public and private keys. If not, a notification is displayed, indicating that the uploaded signature key is incorrect and you need to upload another one.

Configuring the New Certificate Fingerprint

The App Signing service generates a new certificate fingerprint, which may be different from that generated locally when you develop your app. If the services you are integrating need to depend on the SHA-256 certificate fingerprint, you need to add the new SHA-256 certificate fingerprint after app re-signing for your app.

1. Sign in to AppGallery Connect and click My apps.
2. Click the name of the app that you need to sign. Then go to Distribute > Services > App Signing.
3. On the App Signing page, click next to the SHA-256 certificate fingerprint in the App signing certificate area.

   

4. Go to My projects > Project settings > General information > App information, click Add next to SHA-256 certificate fingerprint, paste the SHA-256 certificate fingerprint that is just copied, and click Save.

   

Releasing an App

1. Use the upload key to sign the app package and upload the package. AppGallery Connect will use the certificate of the upload key to verify your identity information. After the verification is successful, AppGallery Connect will use the signature key you have submitted to re-sign the app. If you do not submit a certificate of the upload key, AppGallery Connect will use the signature key you have uploaded as the upload key by default to verify your identity information.

   Re-signing will take several minutes.

2. Complete the app release information and release the app.