How to Automate Secure Android App Code Signing in DevOps CI/CD
To install Android apps on mobile devices, they must be signed first. Many developers sign within their development and integration platform, but some are required to sign the applications on designated computers in order to preserve the signing credentials within a trusted environment. Appdome’s private signing script allows developers to sign Appdome-built apps easily on a local machine without uploading the signing certificate to Appdome’s cloud service.
This Knowledge Base article provides step-by-step instructions on how to sign your Android mobile app using Appdome’s Auto-Dev private signing script.
We hope you find this knowledge base useful and enjoy using Appdome!
About Securely Automate Android App Signing In CI/CD
Appdome is a mobile security platform that allows users to add a wide variety of features, SDKs, and APIs to iOS and Android apps. Using a simple ‘click to add’ user interface, Appdome allows anyone to easily integrate features to any mobile app – instantly, no code or coding required.
During the building process, adapters are added to the app to achieve the desired added functionality, therefore the app’s original signature is invalidated and it must be re-signed to allow deploying the app on mobile devices. Appdome allows signing your app easily and simply by running a single script.
Appdome’s Auto-DEV private signing script allows users to sign Appdome Built apps locally without uploading the signing certificate to Appdome’s cloud service. The unsigned app is embedded in the script generated by Appdome. Running the script on your trusted environment will extract and sign the app using a certificate you provide.
As an Appdome user, you can sign any Appdome Built app either by using Appdome’s built-in signing capabilities, Appdome’s Auto-DEV Private Signing script or using your own mechanism outside of Appdome. It’s your choice. However, due to Appdome’s Anti Tampering mechanism, local signing may fail in deployment if the signing keystore will not match the Certificate Fingerprint. Auto-DEV private signing allows integrating the local signing into CI/CD systems.
Securely Automating Android App Signing In CI/CD
To securely automate Android app signing:
- Follow these steps to add a mobile app to your Appdome account.
- If you do not yet have an Appdome account, click here to create an account
- Complete the Build and Context workflow.
- Select the Sign Tab.
Note: a blue underline appears, indicating the step is active.
- Select the signing method: Auto-DEV Private Signing.
- Toggle on Use Google Play App Signing, if you are using this feature.
- Insert the signing Certificate Fingerprint SHA1 or SHA256 (how to obtain the fingerprint see here) or the Google Play App Signing Certificate fingerprint (for more information see here).
- Wait for Appdome to verify the signing parameters, then click the Auto-DEV Sign Privately button.
- When the Signing script generation is completed, click Next to move to the Deploy tab.
- Download the automatic private signing script (sign.sh).
Your unsigned app is embedded in this script.
- Select the Sign Tab.
Prerequisites to Securely Automate Android App Signing In CI/CD
- Appdome account – IDEAL or Higher.
- Appdome-DEV access
- Android Mobile App
- Keystore – This should be the same keystore file used to sign your Android app when distributing it via Google Play (it can also be the upload key if you are using Google Play App Singing)
- Keystore Password – The password used to unlock your keystore.
- Key Alias – The name you assigned to your keystore.
- Key Password – This is the specific password defined for your signing key.
- For Mac OS X or Linux computer:
- Python software (version 2.7 or higher)
- keytool executable (part of JRE or JDK, version 1.8 or higher) in the search path
- zipalign executable (part of the Android SDK Build Tools, version 28.0.3 or higher) in the search path
- apksigner executable (part of the Android SDK Build Tools, version 28.0.3 or higher) in the search path
- For Windows computer (Windows 10 or Windows server 2019)
- Windows-Subsystem-Linux (WSL) (WSL installation on windows server 2019 / WSL installation on Windows 10 )
- Linux distribution that supports OpenJDK 8 with apt package manager (For example Ubuntu 16.04)
- Python software (version 2.7 or higher)
When signing in your local environment, the Java version installed locally must be identical to or newer than the Java version used when generating your keystore.
To check your Java version, run the following command on your terminal:
MAC OS or Linux environment configuration
Locate your zipalign and apksigner executables on your computer.
Add their full location (SDK Built tools) to your environment $PATH variable, for example:
Windows-Subsystem-Linux environment configuration
After you installed the Linux distribution on your Windows computer, open the WSL console and run the following commands:
sudo apt update sudo dist-upgrade -y && sudo apt install -y unzip zipalign lib32z1 openjdk-8-jdk gradle curl https://dl.google.com/android/repository/sdk-tools-linux-4333796.zip --output/tmp/sdk-tools-linux-4333796.zip unzip/tmp/sdk-tools-linux-4333796.zip -d ~/Android export JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64 cd Android/tools/bin ./sdkmanager "platform-tools" "platforms;android-29" "build-tools;29.0.0" export ANDROID_HOME=~/Android export PATH=$PATH:$JAVA_HOME/bin:$ANDROID_HOME/tools:$ANDROID_HOME/platform-tools:$ANDROID_HOME/build-tools/29.0.0 cd ~ android update sdk --no-ui gradle -v adb start-server
How to run Auto-DEV private script:
To run the automatic private signing script, use the following command:
sign.sh --output <path_to_outputfile.apk or path_to_outputfile.aab> --keystore <path_to_keystore> --keystore_pass <keystore password> --key_pass <key password> --keystore_alias <key alias>
Note! In some environments, you may be required to grant executable permissions to the signing script (using chmod +x command).
Congratulations! You now have a signed app with Appdome’s Auto-DEV private signing script.
How Do I Learn More?
Learn more about Signing Android Apps on Appdome or Request a demo at any time.
If you have any questions, please send them our way at firstname.lastname@example.org or via the chat window on the Appdome platform.
Thanks for visiting Appdome! Our mission is to make mobile integration easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.