In this case I am not alone, I have joined a well-known developer forum in Indonesia with the predicate Google Authorized Training Partner. I try to express my concerns about digital signatures, more:
Good Morning Masters,
Excuse me, may I ask about Signed Apk? I have no experience with this, so there are some concerns there. Let's say there are 3 actors (client, developerA, developerB).
CaseA
1]. First Signed Apk is built with DevA keystore
2]. Signed Apk is sent to the client's email
3]. The client uploads the signed Apk to his playstore
- In this case, do I need to create a special keypad for the apk?
- Do I need to include the keypad to send to the client via email?
- Is it common and safe to send keystores like that?
Case B
1]. Client terminates contract with DevA
2]. Client creates contract with DevB
3]. DevB build signed Apk (still the same project)
- Does DevB have to use the DevA keypad? to be able to continue to the next version?
- Can DevB continue the keystore-less version of DevA?
I think that's it, sis, please enlighten me, sorry if I still don't understand about Signed Apk.
Thank you very much for the enlightenment,
Answer
Mastah A:
First, if the application is still in the demo stage, it does not need to be signed because changes will definitely occur. Second, each application can only have one keystore (if it will be published to the Playstore). Sending the keystore is a mutual agreement.
Master B:
Case A: application keystore is generally confidential. Here the keystore functions to secure the app source (from the decompile process etc.) and our application key in the marketstore (playstore), without the keystore the apk cannot be uploaded. The keystore is also needed to update to a signed apk that has been published previously. My advice, if you want your app to be closed and secure, do not share the keystore with other people who are not interested in the application.
Case B: to update the application, DevB still needs the keystore from DevA, because the application has been published with a keystore created by DevA.
Face to Face Clients
Good morning Client team,
Hearing the latest error issue from the Playstore account is indirectly good news for us, as an indication that the application is approaching the final stage.
But before that, please allow us to change our personal API key to the Client's API key, here are the simple steps that can be taken:
- Login account https://console.developers.google.com
- Click the Credentials menu
- Click create credentials
- Click restrict key, then just rename it, no need to restrict to a specific platform, because it will require many conditions if that is done.
Note:
API key (none restrict) is not limited to web/app platforms, however it would be better if its use was dedicated to a specific platform, so that it would be easier to analyze statistics on the dashboard, because the traffic source for each API KEY is clear from where it comes (from the web/app).
Implementation of api key in project config
At this stage, we offer a choice:
- If the Client team is willing to share the API key with us, then we will implement it in the project and build it into a release.
- If the Client team does not wish to share the API key, then the Client programmer must do it, later we will send the project repository via email, the programmer downloads / clones, then opens the project with Android Studio, then pastes the key here:
public static final String API_KEY = "YOUR API KEY"
After that, the programmer can try running it on the emulator. If the video portfolio appears and can be played, it means the implementation was successful. The next stage is that the programmer can build it into a release using his/her keystore/Client.
Note:
To ensure the build releases properly, be sure to do this:
- Build > Clean Project,
- File > invalidate Caches / Restart.
- Wait for the Android Studio restart process to complete, then → Build > Generate Signed Bundle / Apk release-build.apk is ready to be uploaded to the Playstore.
That is all and thank you.
Greetings,
Android Dev Jogja