How to Code Sign Secured Android App with SHA Fingerprint Google Cert in DevSecOps Build System
Some Android developers may elect to sign their apps using Google Play, and allow Google to manage the app signing certificate. In effect, they will Sign a Secured Android App with SHA Fingerprint Google Cert. In order to do so, you need to first extract a SHA-1 or SHA-256 Fingerprint from the Google Play signing certificate.
This Knowledge Base article provides instructions on how to extract a SHA-1 or SHA-256 fingerprint from a Google Play signing certificate to sign and manage certificates on Google Play. (Sometimes, this is done to allow Google to send different configurations to specific Android devices).
How to sign apps on Google Play
Appdome is a mobile security platform that allows users to add a wide variety of features, SDKs and APIs to Android and iOS apps. Using a simple ‘click to add’ user interface, Appdome allows anyone to easily integrate features to any mobile app – instantly, no code or coding required.
To use Appdome’s signing or private signing with an app meant to be re-signed on Google Play, you need to extract the SHA-1 or SHA-256 fingerprint from the app signing certificate from your Google Play account.
To sign apps on Google Play, you need to enable the option “Use Google Play App Signing“ while signing on the Appdome platform before uploading the Appdome-built app to Google Play. This option is located under the “Sign” tab after you fuse an Android app. If you don’t enable “Use Google Play App Signing“ when you sign or privately sign your app on the Appdome platform, Google Play re-signing will trigger the Appdome Anti-Tampering security mechanism.
Prerequisites
- Appdome account
- Android App
- Application uploaded to Google PlayStore
- Signing Credentials
How to Extract a SHA-1 or SHA-256 Fingerprint from the Google Play Signing Certificate
For Internal Testing and App Releases
After logging into Google Play, you can extract a SHA-1 or SHA-256 certificate fingerprint and copy that into Appdome when signing on Appdome or Private Signing:
Navigate to the Google Play Console and log in (or access Google Play from an Android device)
- Choose the application you are signing
- Go to Setup –> App Signing
- Copy/Download the SHA-1 or SHA-256 certificate fingerprint from the App signing certificate section.
This app signing certificate (SHA-1 or SHA-256) is the fingerprint of the final signing certificate that will be distributed via Google Play. Insert this value while signing or private signing on Appdome.
For Internal App Sharing
After logging into Google Play, you can extract an SHA-1 or SHA-256 certificate fingerprint and copy that into Appdome when signing on Appdome or Private Signing:
Navigate to the Google Play Console and log in (or access Google Play from an Android device)
- Choose the application you are signing
- Go to Setup –> Internal App Sharing
- Copy/Download the SHA-1 or SHA-256 certificate fingerprint from the App certificate section.
This app signing certificate (SHA-1 or SHA-256) is the fingerprint of the signing certificate that will be used for the app’s internal sharing. Insert this value while signing or private signing on Appdome.
3 Easy Steps to Sign Secured Android App with SHA Fingerprint Google Certificate
Follow these step-by-step instructions to Sign a Secured Android App with SHA Fingerprint Google Cert.
- Build your secured app on Appdome
- Add your SHA Fingerprint Signing Certificate
- Click sign my app
Below is the screenshot with detailed instructions for signing on to Appdome and signing in privately.
Sign on Appdome:
Private signing:
Appdome requires this value because several Anti-Tampering techniques within Appdome ONEShield rely on the final signature certificate fingerprint to protect the application and verify that it has not been re-signed by an attacker or otherwise tampered with.
How Do I Learn More?
If you have any questions, please send them our way at support.appdome.com or via the chat window on the Appdome platform.
Related Articles:
- Automated App Signing of Secured Android & iOS Apps on Appdome
- How to Enforce SHA-256 Digest in Android & iOS Apps
- How to Trust Google Play Store Tests with Appdome-Protected Android Applications
Thank you!
Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project.
