How to manage APK signing keys
How to sign an Android app
RuStore supports downloading applications in APK and AAV formats. Each APK file must be signed with a digital certificate, which Android uses to identify the app owner. Please ensure safe storage of the signing key.
When downloading files in AAB format, the application signature is downloaded separately during the application download process. Details.
Check Android versions
Android compares digital footprints of each signed .APK file.
A digital fingerprint is a sequence of bytes created by applying a cryptographic hash function to a public key.
The digital fingerprint is represented as follows:
43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8
Signing verification
This process is required if the application has been published on Google Play. When submitting an APK file to the RuStore Console, ensure that it carries the same signature as used in other app stores, such as Google Play. This will allow users to update apps installed on their devices whenever a newer version is available on the RuStore.
Is it necessary to use a signature from Google Play if you have your own?
No. If your app is on Google Play but you have your own signature, you don't need to go through signature verification. You can immediately upload files with your own signature to RuStore. The process is only necessary if you are using Google Play signature. You can also download dual-signature APKs.
What causes update errors?
One of the most common mistakes publishers make is using different signatures for an app published on the RuStore and other stores.
For example, the initially downloaded app version is signed with one certificate and the next version is signed by another one. Due to these differences, Android does not allow you to install updates for this application.
What are possible reasons:
-
The developer loses a certificate and then generates a new one to publish the application in the store.
-
Developers can publish the same application in different stores. For example, initially the developer published applications on Google Play and used one certificate. But after switching to RuStore, he started using a different certificate.
This results in dividing users into two categories:
- those who installed an app from Google Play;
- those who downloaded it from RuStore.
If a user has installed RuStore and wants to update an app that was previously downloaded from Google Play, he will not be able to do this due to different certificates.
How can this problem be solved?
-
We recommend using one certificate for all app versions to avoid problems with version updates from different sources.
-
In case of urgence, you can ask users to remove the "old" app versions that cannot be updated, and ask them to download new ones. But this method is associated with the risk of losing part of the audience.
-
You can also update the app signature with the help of RuStore technical support. The steps are listed below.
RuStore recommends using a locally stored certificate for more control over app releases.
If you use Google Play App Signing, which allows Google Play to generate and store the signature on its own, you may find that you cannot use the certificate outside of Google Play.
Resolving Update Errors with RuStore Support
To update the signing key, send an email to support@rustore.ru.
Specialists will initiate an appeal and check that the application belongs to the applicant.
Upon successful identification, the support specialist will deactivate the old certificate. After that, the developer just needs to upload the new APK file with an updated signing certificate common to RuStore and other stores.
What to do if you need to use different signatures?
If you have a separate signature released for RuStore, but the app is published in Google Play - download APK files with both signatures and select the default signature released outside Google services. This will reduce update errors for users.