Once a signature key is generated in AppGallery Connect or uploaded by you, it cannot be modified.
Service Introduction
本文导读
Android apps use a signature key for signing. Each signature key has an associated key certificate. Devices and services can use the certificate to check whether the app is from a trusted source. For trusted app updates, ensure that the app signature of the update package is the same as that of the installed app so that your app update will be accepted. However, if the signature key is lost or stolen, you cannot update your app. In this case, you will have to use a new package name to release the updated app. This will lead to risks such as user loss. You are advised to use App Signing provided by AppGallery Connect. The service can properly manage and protect your app signature key and use the key to sign your app package for distribution. Even if your upload key is lost, you can still update your app on HUAWEI AppGallery, and users can still update your app. | |
With App Signing, your upload key certificate and app signature key are encrypted and stored in the encryptor on the cloud. No one can obtain the plaintext key from the encryptor. Even when signing an app, AppGallery Connect sends the content to be signed to the encryptor. The encryptor signs the content and returns the signing result. This ensures high-level encryption throughout the process. Currently, App Signing supports only APK and AAB files. You can choose not to use the service if your app is released in an APK package. Note that if you disable the service, you need to ensure the security of your keys. If you upload an AAB package for app release, App Signing is required to convert the AAB file into APK files and use the signature key to sign the APK files. | |
Key Functions
Function | Description |
|---|---|
Creating and managing your signature key | AppGallery Connect generates a new signature key for your new app, stores the key in AppGallery Connect, and uses the signature key to sign your app each time you upload an app package. Your key used to sign the app package will also function as the upload key. AppGallery Connect verifies your identity based on the upload key. When you update the app, you only need to upload the app package signed by the upload key and then submit the app package for release. Currently, this function applies only to new apps. |
Managing only the signature key you upload | App Signing allows you to upload your own signature key. AppGallery Connect manages the signature key and uses it to re-sign your app each time you upload an app package. You can choose to generate a new key as the upload key and use the upload key to sign the app package. AppGallery Connect will verify your identity based on the upload key. If you do not generate an upload key, the signature key you upload can also be used as the upload key. This function applies to both new and released apps. |
说明
How the Service Works
When you use the App Signing service to release an App Bundle or APK, you need to choose a way to manage your signature key.
- If you choose to allow AppGallery Connect to create and manage your signature key, you need to submit the key certificate of your upload key to AppGallery Connect. Then, AppGallery Connect automatically generates a signature key. After you upload an app package, AppGallery Connect verifies the identity information in the app package by using the key certificate of the upload key. If the verification is successful, AppGallery Connect re-signs the app using the signature key generated by AppGallery Connect. When you update your app, you only need to use the upload key to sign the app package. AppGallery Connect will always use the signature key generated to re-sign the app, ensuring that the signature key is the same as that of the released app.
- If you choose to use your own signature key, you can submit key certificates of your signature key and upload key (optional) in AppGallery Connect. After you upload an app package, AppGallery Connect verifies your identity using the key certificate of the upload key you submitted. After the verification is successful, AppGallery Connect uses the signature key you submitted to re-sign the app. After the signature is successful, AppGallery Connect distributes the app to users. When you update your app, you only need to use the upload key to sign the app package. AppGallery Connect will always use the signature key you upload to re-sign the app, ensuring that the signature key is the same as that of the released app. The key certificate of the upload key is optional. If you do not submit the key certificate of the upload key, AppGallery Connect uses the signature key you upload as the upload key for verification by default.
说明
Currently, the function of verifying identity information using an upload key is not mandatory, and will be supported in later versions.
Platform Support
Platform | Supported |
|---|---|
Android |
|
iOS |
|
Web |
|
Quick app |
|
Server SDK | N/A |
REST API | N/A |
Implementation Process
To use the App Signing service for a new app, do as follows.
No. | Step | Details |
|---|---|---|
1 | Choosing a Way to Manage Your Signature Key | The App Signing service of AppGallery Connect provides the following options:
|
2 | Configuring the Certificate Fingerprint | After you enable the App Signing service, AppGallery Connect generates a new certificate fingerprint, which may be different from that generated locally when you develop your app. If the services to be integrated need to depend on the SHA-256 certificate fingerprint, you need to add the new SHA-256 certificate fingerprint in AppGallery Connect for your app. |
3 | Using an Upload Key to Sign Your App | No matter how you choose to manage your signature key, you need to use the upload key to sign the app package before uploading it.
|
4 | Uploading an App Package | You need to upload the signed app package to AppGallery Connect. AppGallery Connect uses the signature key to re-sign your app. |
5 | Submitting Your App for Review | After your app package is re-signed, you can submit your app for release in AppGallery Connect. |
To use the App Signing service for a released app, do as follows.
No. | Step | Details |
|---|---|---|
1 | Enabling the App Signing Service | If your app is now available to all your users or has ever been released in full mode before, you must use the signature used to sign the app package of the last full release to sign the current app package used for updating your app. In this case, you need to upload a signature key yourself. You need to submit a signature key in a .zip file to AppGallery Connect. To ensure normal app updates, you must use the same signature file as the latest full release in the .zip file. 注意 For details about the app consistency restrictions for using the App Signing service for an app that has been released in full mode, please refer to the detailed requirements. You can also submit the key certificate of the upload key to AppGallery Connect. If you do not, the signature key will be used as the upload key. |
2 | Configuring the Certificate Fingerprint | After you enable the App Signing service, AppGallery Connect generates a new certificate fingerprint, which may be different from that generated locally when you develop your app. If the services to be integrated need to depend on the SHA-256 certificate fingerprint, you need to add the new SHA-256 certificate fingerprint in AppGallery Connect for your app. 说明 If the signature key you upload to AppGallery Connect is the same as that of the released app version, skip this step. |
3 | Using an Upload Key to Sign Your App | You need to use the upload key to sign the app package before uploading it.
|
4 | Uploading an App Package | You need to upload the signed app package to AppGallery Connect. AppGallery Connect uses the signature key you upload to re-sign your app. |
5 | Upgrading an App | After your app package is re-signed, you can submit your app for release by updating the app. |
Key Concepts
Name | Description |
|---|---|
Signature key | Signature key is a key for signing an APK installed on a user device, and remains unchanged in an entire app lifecycle. The signature key is private. Do not disclose your signature key to others. When using the App Signing service, you can choose to create a signature key in AppGallery Connect or upload a signature key by yourself. AppGallery Connect saves the key and uses it to sign the app distributed to user devices. |
Upload key | Upload key is used by AppGallery Connect to verify your identity when you upload an app package. When you use the App Signing service, you need to submit the key certificate of an upload key to AppGallery Connect, and use the upload key to sign an App Bundle or APK file you upload. During the upload, AppGallery Connect uses the key certificate to verify the upload key. You can upload a new key as the upload key or directly use your signature key.
For higher security, you are advised to use an upload key different from a signature key. |
Key certificate | A key certificate contains the public key in the public-private key pair and other information about the private key owner, but does not contain your private key. During app signing, the signing tool attaches the key certificate to your app. You can share the certificate with others. The key certificate can be used to verify the signer of the app package to ensure that the app is reliable. The key certificate of the signature key is mainly used to verify an app finally distributed to user devices, and that of the upload key is mainly used by AppGallery Connect to verify the uploader of an app package. |
Certificate fingerprint | As the identifier of a key certificate, the certificate fingerprint is used to ensure the accuracy of the key. |
Pricing
Free of charge.
搜索
请输入您想要搜索的关键词