Enabling App Signing for a Released App

If you want to use App Signing for a released app, you can only upload your own signature key. Currently, AppGallery Connect does not support generating a new signature key for a released app. You need to use the pepk.jar tool to generate a .zip file that contains the signature key, and upload the .zip file to AppGallery Connect. For higher security, you can also submit the certificate of the upload key. You are advised to use an upload key different from the signature key. If you do not submit an upload key, you need to use your signature key as the upload key.

Before You Start

Your app has been released and has not used the App Signing service.
The signature key to be uploaded is the same as that of the app currently released in full mode.
You have obtained the pepk.jar tool from the Internet or another legitimate source.

Uploading the Signature Key

Sign in to AppGallery Connect and click My apps.
Click the name of the app that you need to sign. Then go to Distribute > Services > App Signing.
If you use App Signing for the first time, an app signing service agreement is displayed, and you need to sign the agreement to use the service.
Select Method 2: AppGallery Connect only manages the signature key you upload.
注意
If you have enabled the App Signing service, a message will be displayed, indicating that the app has been added to the app signature plan.

Obtain the pepk.jar tool from the Internet or another legitimate source.
Place the signature key file (.jks file) and files extracted from pepk.jar in the bin directory of the JDK.
Run the cmd command to open the CLI, go to the bin directory of the JDK, and run the following command to pack and encrypt the signature file of the signature key:
```
java -jar pepk.jar --keystore sign-keystore.jks --alias sign --output=sign.zip --encryptionkey=034200041E224EE22B45D19B23DB91BA9F52DE0A06513E03A5821409B34976FDEED6E0A47DBA48CC249DD93734A6C5D9A0F43461F9E140F278A5D2860846C2CF5D2C3C02 --include-cert
```
Replace the italic and boldfaced content in the command with the actual values.
- sign-keystore.jks: signature file of the signature key.
- sign: alias of the signature file.
- sign.zip: generated .zip package of the signature key.
- encryptionkey: public key used for encryption. Use the fixed public key in the command.
Click Browse and upload the .zip package generated in step 7.

说明
Steps 9 to 11 are optional. For higher security, you can manually upload a new upload key different from the signature key. If you do not upload an upload key, AppGallery Connect will use the uploaded signature key as the upload key by default to verify your identity information.
Generate a signature file that contains the upload key. The upload key must be different from the signature key.
Run the cmd command to open the CLI, go to the bin directory where the JDK is located, and run the following command to generate the key certificate (in PEM format) for the new upload key:
```
keytool -export -rfc -keystore upload-keystore.jks -alias upload -file upload_certificate.pem
```
Replace the italic and boldfaced content in the command with the actual values.
- upload-keystore.jks: signature file that contains the upload key.
- upload: alias of the signature file.
- upload_certificate.pem: generated certificate of the upload key.
Click Expand, click Browse, and select the certificate of the upload key.
Click Submit in the upper right corner to submit related files to AppGallery Connect.
AppGallery Connect verifies the uploaded signature key in the following sequence:
1. Check whether the encryption algorithm and key length of the signature key are supported. If not, a notification is displayed, indicating that the uploaded signature key is not supported and you need to upload another one.
  For details about the encryption algorithms and key lengths supported by AppGallery Connect, please refer to Restrictions.
1. Check whether the signature key is consistent with that of the latest version released in full mode. If not, a notification is displayed, indicating that the uploaded signature key is inconsistent with that of the released version, and you need to upload it again.
  注意
  For details about the app consistency restrictions, please refer to the detailed requirements.
2. Check whether the signature key is a pair of public and private keys. If not, a notification is displayed, indicating that the uploaded signature key is incorrect and you need to upload another one.

Configuring the New Certificate Fingerprint

If the signature key uploaded to AppGallery Connect is different from that of the released app, the new certificate fingerprint may be different from that generated locally during app development. If the services you are integrating need to depend on the SHA-256 certificate fingerprint, you need to add the new SHA-256 certificate fingerprint after app re-signing for your app.

Sign in to AppGallery Connect and click My apps.
Click the name of the app that you need to sign. Then go to Distribute > Services > App Signing.
On the App Signing page, click next to the SHA-256 certificate fingerprint in the App signing certificate area.
Go to My projects > Project settings > General information > App information, click Add next to SHA-256 certificate fingerprint, paste the SHA-256 certificate fingerprint that is just copied, and click Save.

Updating an App

Use the upload key to sign the app package and upload the package. AppGallery Connect will use the certificate of the upload key to verify your identity information. After the verification is successful, AppGallery Connect will use the signature key you have submitted to re-sign the app. If you do not submit a certificate of the upload key, AppGallery Connect will use the signature key you have uploaded as the upload key by default to verify your identity information.
Re-signing will take several minutes.
Release the updated app.