App Signing Certificate
The Native library protects JNI interface and allows the calling of Native methods through SDK only from known applications by checking APK signing certificate if it matches the one embedded in the Native library. The Native library contains different embedded certificates for every client. APK signing certificate is embedded inside of Native library during the compilation of Native code.
The Native library uses signature scheme v2 for application verification. Ensure that your application is signed by the v2 scheme as well. Depending on the target and min Android version, the v2 signature might be omitted by default.
Google Play Signing Key Upgrade
Provide 2 signing certificates (new and legacy) if during your app lifetime on Google Play, you upgraded your app signing key for new installs. Your new key is used to sign new installs and app updates. Your legacy app signing key is still used to sign updates for users who installed your app before the key upgrade.
Exporting Signing Certificate
Export Google Play signing certificate
1. Open Google Play Console
2. Go to the Play App Signing page (side menu Release > Setup > App signing)
3. Press Download Certificate from App signing certificate section.
Export signing certificate from keystore
Export local signing certificates for local distributions from the keystore:
$ keytool -export -rfc -keystore <YOUR-KEYSTORE.jks> -storepass <YOUR-KEYSTORE-PASSWORD> -alias <KEY-ALIAS> -file output_certificate.pem
Export signing certificate from a signed APK
This approach will work if the signing scheme v1 is among the schemes used. To see which signing schemes are applied, check the next section for verification instructions.
$ cp app-release.apk app-release.zip
$ unzip app-release.zip -d app-release
$ cp app-release/META-INF/<NAME>.RSA ./<NAME>.RSA
Alternatively, you can share your signed APK or bundle file, and we will extract the signing certificate ourselves.
Signing and verifying APK from the command line
Signing is usually done automatically by tools or included in release pipelines. However, there might be occasions when one may want to do it manually for debugging or other purposes.
1. Build an unsigned APK.
$ gradle assembleRelease
2. Align the unsigned APK using zipalign
.
$ zipalign -v -p 4 app-unsigned.apk app-unsigned-aligned.apk
3. Sign the APK with private key using apksigner
.
$ apksigner sign --v2-signing-enabled true --ks <YOUR-KEYSTORE.jks> --ks-key-alias <KEY-ALIAS> --out app-release.apk app-unsigned-aligned.apk
Ensure that your application is signed by v2 scheme as well (--v2-signing-enabled true
). Depending on the target and min Android version, the v2 signature might be omitted by default. See the documentation for more info.
4. Verify that the APK is signed with the intended certificate and contains all required signature schemes.
$ apksigner verify --print-certs --verbose app-release.apk
Ensure that the output contains a line:
Verified using v2 scheme (APK Signature Scheme v2): true