I am one of the maintainers of an Android application that has been in development since 2008. We currently manage our own release key and we would like to start using a new, more secure key. Our users generally install from the Play Store but some require universal APKs which we would like to continue publishing. We would like these to be compatible with Play Store installs/updates and we would like to publish one per version (i.e. not two signed with new and old keys). Our app is currently signed using the v1 and v2 schemes.
As I understand it, we have the following options:
-
Continue managing our own keys. Generate a new, modern key. Create a rotation lineage between the two keys. When releasing, sign with the old key, the new key, and the lineage file using the v3 scheme. Upload that to both the Play Store and as the self-published universal APK.
-
Opt into App Signing and upload the older key. Request a key upgrade for new installs (which may or may not be granted). Generate a new, modern key locally. Upload that key as the updated key. From the Play Store, that new key will be used for new installs, the older key will be used for existing installs. For the self-published universal APK, we can create a rotation lineage between the two keys and sign with that.
-
Opt into App Signing and upload the older key. Upgrade signing key for Android 13+. Generate a new, modern key locally. Upload that key as the updated key. From the Play Store, Android 13+ devices will get installs and updates signed with the new key, all others will get installs and updates signed with the old key. From the self-published universal APK, we can create a rotation lineage between the two keys and sign with that.
In an ideal world, we could enroll in App Signing, let Google manage the signing and download a single universal APK to share. Both paths would work for upgrading existing installs (old key) on all Android versions (we support down to Android 5.1). My understanding is that this is not possible because App Signing does not use the v3 signing scheme or any other standard for establishing a relationship between old and new key. The latest information I can find on this is in a May 2020 dev rel article on App Signing:
the current key upgrade process does not take advantage of the key rotation feature introduced in Android 9 (Pie) and above. We are currently investigating support for key rotation using app signing v3 for devices on these OS versions and will let the developer community know once it’s ready in a separate announcement.
I can find no related announcement or documentation.
Have I correctly understood our options? Is there any reason not to continue managing keys and using the v3 scheme to rotate on Android 9 and above?
EDIT: I previously asked what "upgrade signing key for Android 13+" does differently from "request a key upgrade for new installs"? and found a partial answer in Android 13 release notes:
“APK Signature Scheme v3.1 allows apps to support original and rotated signers in a single APK and also supports SDK version targeting.”
With more in the overview. My understanding is that App Signing DOES use key rotation now but only with the v3.1 scheme which is only supported in Android 13+. However, that would be inconsistent with Play Console Help which says
Note: Requesting an app signing key upgrade for new installs in Play Console is unrelated to key rotation introduced in APK signature scheme v3 for Android P and above.
from What are options for upgrading signing key for Play Store and self-published universal APK?
No comments:
Post a Comment