Android App Signing by Google

If you opt-in to let Google sign your app you get an upload key to sign and then google handles it.
As it is a permanent change I'd like to know if it works with Unity signing process.

https://support.google.com/googleplay/android-developer/answer/7384423

 

I would also like to know how this works. We can't risk testing this with our live product until we know more as it's non-reversible process

 

Any news on this?

 

Any news? I did opt-in thinking it would simplify things and instead it completely messed up my working pipeline: now I am only publishing on iOS and alternative android stores... !

 

I just upload a new apk with this feature enable for alpha testing to google play, At first the only problem that I found was that I was still singing with the key on Unity, I just erase my signing data on unity, build it again and it worked

P.D: My keystore was already created by android studio

 

Hey,

I signed in to Google Play App Signing to Alpha-Test my Android App (my first entry for the Playstore) and ran into serious problems:

The first uploaded version worked fine.
Current uploads also get accepted by Google, but after Download the app does not start anymore.

It must be an issue with my signing keys.
As far as I remember I did not get an uploadkey from google and so I still sign my apk with the keys set up in unity.

The best part is, when I hit Build&Run in Unity the apk gets build but the app does not start on the phone anymore.

Any help is very welcomed.

Thanks
Carsten

 

I'm also wondering about this. It seems that in order to generate the upload key, I need to use an Android Studio project. Is this something that can be done without generating the project?

 

I created an upload key with keytool from JDK (no Android studio needed), and that has worked fine so far (dev builds and app working in play store):

Code (CSharp):

1. jdk1.8.0_111\bin\keytool -genkey -v -keystore spinpaint_upload.keystore -storepass <your password> -alias <your key alias> -keyalg RSA -keysize 2048 -validity 10000 -dname "C=<country>, ST=<state>, L=<city>, O=<organization>, OU=<org unit>, CN=<you>"
2.  

Modify anything above in <> as needed.

I always use the upload key in Unity to sign APKs. The only thing is when you install your app from the Play Store you need to uninstall it first on the phone since the store APK will have a different signing key that Google keeps safe.

 

Thanks for the info!

 

any one can create youtube tutorial for this
Enroll your app in Google Play App Signing
coz i a bit confuse how to enroll it

 

I take it that means it does work correctly together then?
You can use the key created with Unity (and signed in Unity) with "Google Play App Signing"?
(which was what the original poster was asking I think)

I've never released a game on android / ios, and a such I'm not familiar with all that app signing stuff. I'm doing my best in trying to understand it all.

 

Never mind @Steven-1. Like @Yury-Habets said what OP asked in this thread is unrelated to how build process of Unity works so the thread should be basically closed.

 

yes , It works with Unity signing process. I published an application (alpha) with unity, and Google Play App Signing activated.

P.S. If you're enrolled in Google Play App Signing, you can reset your upload key if:

• You lost your private key, or
• Your private key has been compromised

(you create a support ticket and prove that's it's actually you).

 

https://support.google.com/googleplay/android-developer/answer/7384423

Step 2: Prepare your release
Prerequisite: If you're a Play Console account owner, you can opt in to Google Play App Signing. You'll need to accept the Terms of Service once per developer account. Once you've accepted the terms, you can enroll individual apps into the program.

Go to your Play Console.
Select an app.
On the left menu, select Release management > App releases.
Next to "Google Play App Signing," select Accept.

The menu options in the directions above simply do not exist in the console.
Because of this the process comes to an abrupt halt for people that have never done it.
If someone that has done it could post step by step directions, using menu options that do exist, that would help tremendously.

This is a screenie of the google play console menu. Please note that there is no option for "Release management". At this point the process simply cannot be completed.

A step by step would help people get past this point.


If you click on "app signing" you get the same menu.

"Release management" is not an any of the menus.

1. Next to "Google Play App Signing," there is no Accept option.

I have sent this information to the google support team outlining the things mentioned above.

 

What I remember is that the items with the triangle/! next to them need to be finished before you can move on. Try each of those to see if there is missing information that you can enter.

 

I am trying to get all of that stuff finished but need to know how to use the google upload key to digitally sign my game first.
I used the chat option and talked to a support person for google and they could not help.
They said that they will have a "specialist" email me on monday.
This process just seems to be broken.

 

I have been doing some reading and it seems that there have been some changes to UI of the google developer site.
There are a lot of people having the same issues that I am.
Check out the comments for googles video for the new UI.

 

Again people have dropped he conversation.
Even google support gives sketchy unusable information.
I think there are a lot of people that sign their games manually.
If that is the case they should not be giving support for doing it automatically.
That is very confusing and provides no real support.

 

I finally figured out how to sign my game and got it uploaded to my google developer account.
It says that all the requirements have been met.
The entire process had nothing to do with google or android studio.
I have no idea why people in google support and in the unity forums would not just tell me how it is done.
Even if it is on the forums somewhere, after all my searching, I could not find it.
During the weeks of fighting and struggling and getting nowhere, no one even mentioned the following.

File>Build Settings>Player Settings>
Under "Player Settings" click the "Publishing Settings" tab.
"Create New Keystore" - Check it.
"Browse Keystore" - Click it.
"Alias" - select "Create a new key" on the dropdown.
In the new window that appears - enter password and confirm password.
"Alias" - select the new key that is now there on the dropdown.
Back to "Build Settings" - build game with the android platform selected.
Game now signed.

Game can now be uploaded to google developer account.

 

Thanks a lot incenseman, your explicit instructions helped me a lot, and also helped me wrap my head around the point of Google's app signing. They simply want you to use a new key that you haven't used on prior signed APK uploads before.

This is done so that losing the upload key won't mean the end of the world for your app entry -- normally, losing the original signing key means you can never upload a new version of the app again. With Google's new signing scheme, you can ask them for help if you lose the original upload key.

I know this sounds obvious to those who understand how the process works, but I've only understood its fundamental now. And it worked without a problem on Unity 2017.1.

 

thanks a lot incenseman and erwinumali for your helpful posts. So am I correct now in saying that, if you opted-in for Google automatic signing, the process is:

1. generate new key (with JDK keytool)
2. upload generated key to dev console
3. build *UNSIGNED* apk in Unity
4. upload game to dev console for automatic signing

This would actually make sense

 

After a couple of days I managed to make login work because of this change, since the last time I made a game that required play services.
What i figured out and I really hope that somebody has a solution to this, is that you need to upload every apk to test your code, and receive it through the play store.
That is because your upload signing key is not what is expected by google. Since google will replace it with the app signing key.
Is there a way to make iterating on device faster?

EDIT:
Turns out that you put the signing key of your upload certificate in the cloud consolse and it will work, as long as you have accepted the tester invitation

 

Sorry if I'm missing something, but where does the upload key generated by Google's pepk.jar tool come in? Or are your instructions applicable only to new apps? If so, does anyone know how to update an existing app?

 

Updated to 2018.2 and now I get an error when I try to upload my app to the Google Play Store. Previously I was able to upload the apk and upload subsequent versions, without having to stipulate an upload key anywhere. I assumed that the upload key was being held by Google, since I enrolled in 'google play app signing' program. Is this related to a UNity update, I'm not sure. My error looks like this: (I am definitely not in development build mode)

Upload failed
You uploaded an APK or Android App Bundle that was signed in debug mode. You need to sign your APK or Android App Bundle in release mode. Find out more about signing.

 

I'm having the same issue Esludden.

 

Thanks Pedro, I've made a bug report.

 

Esludden same issue, do you have a bug number we can upvote?

 

1067188_93ppgbjai4ftvhei

https://fogbugz.unity3d.com/default.asp?1067188_93ppgbjai4ftvhei

 

I'm having the same issue as well.

 

I received help from google support. They have suggested manually generating an upload key, even though this seemed to be handled automatically before. I copied the following instructions from their email -

To generate and register a new upload key:

1. Follow the instructions in the Android Studio Help Center to generate a new key. It must be different from any previous keys. Alternatively, you can use the following command line to generate a new key:

keytool -genkeypair -alias upload -keyalg RSA -keysize 2048 -validity 9125 -keystore keystore.jks

• This key must be a 2048 bit RSA key and have 25-year validity.

1. Export the certificate for that key to PEM format:

keytool -export -rfc -alias upload -file upload_certificate.pem -keystore keystore.jks

Finally, you will need to contact Google Support and send them the .pem file generated by keytool. (Once they have the .pem file your keystore manual signing should work, expect to have to wait 24 hours).

If you need help with the command line stuff, this is a youtube video explaining how to get Keytool set up with the Windows command shell.

 

Users should remember to register their new upload key with Google Support, or apk will be rejected. Registration took about 24 hours.

 

I am also having problems with the certificate. in 2017.4.6f1. I think that Google Play changed something

I was able to send my apk to the automatic signing system without any keystore specified on unity ( So I guess it was debug, but not sure)

but now I am having the same error as ESludden.

I think that as we uploaded previous version of the apk with the automatic system, they generate (or use the default that unity was using) the "Upload key" (That now you can download) But Google play didn't check if the apk was on debug sign before resign, and now they check it.

 

Confirmed I checked the SHA -1 of the last apk that I uploaded and the SHA -1 of the new apk and both use the android debug certificate. The upload key SHA -1 is the debug in my case and since now Google play checks if the Upload key is on debug. We are not able to upload the apk.

So the only way to solve the problem is as ESluden suggest. change the upload key with a new one

 

How do you register your upload key with Google support?? I just created a key in Unity and Google Console accepted the APK and says I'm ready to publish. But this sounds like it might be rejected if I don't do this step first. I'm just not sure on how to do it. Thanks

 

I just sent google support an email with the generated .pem file that I created, and asked them to register it at their end. It took about a day to get a reply and after that I had no issues uploading my apk. Hope that helps.

 

Thanks. I asked Google the same question and they just told me to check the certificate section in Google Console that has MD5 certificate fingerprint, SHA-1 certificate fingerprint and SHA-256 certificate fingerprint and compare that to what I have in Unity. But I'm not sure where I would find this information in Unity as it only creates a Keystore file which I can't open (presumedly because it's encrypted)? Am I missing something?

 

What happens if you just try to upload your apk to the Play Store? Perhaps post a part of the error message here.

 

I actually found out how to find the certificates. Basically it revolves around using keytool and terminal. Oddly it only shows the certificate fingerprints for SHA1 and SHA256 but nothing for MD5. I've seen old issues for this in forums but nothing recently and specific to Unity. I've asked Google for some advice on how I can also obtain MD5. If they have a solution I'll post here for others.

Also, my APK uploads fine to google console. I haven't tried publishing to Google Play yet as my understanding is that it will get rejected if the certificates don't match. So, I'm trying to check they're correct first.

 

The only problem now is that I have to maintain the keystore file somewhere safe rather than have it in the Google' server.
In a medium-sized company is not so easy to find someone to give this responsibility.

 

I'm finding problem to create Android App Bundle from my Unity project. My project was signed time ago with a unity generated keystore. Now Google needs another type of key (i think PEPK), and I don't know how to convert it. Can anyone help me?

I found that I can obtain a key exporting my project to android studio.
When I try to build the app bundle from Android Studio it says that my project doesn't have the Gradle Plugin, but i cannot find the way to exporting using gradle in Unity.
I'm using Unity 2019.1 and there isn't the "build system" option in build settings

 

This thread is a top search result from Google, so I'm posting here what worked for me after countless hours of trying. The following includes the nuances to properly creating an Android Bundle file from Unity and also properly doing App Signing in the Google Play Store...

The reason we need to make Android Bundles and do App Signing is because Android Pie (API 28+) has 64bit support for compatible devices.

Now you need to supply both a 32bit and 64bit version of your game when you upload to Google Play Store.

Unity 2017.4.x and greater allow a single export (“App Bundle”) to export to the store, at which time the store parses out a 32bit and 64bit versions from the bundle.

First you need to update your Android SDK API version to 28 or greater.
Also update your Android "build tools" to the latest version
Finally update your Android NDK to version 13 or greater.

To export a bundle from Unity…

1. File -> Build Settings
2. Don’t go to the Player Settings just yet, stay in the Build Settings that has your Scenes in Build listed etc.
3. Set “Build System” to Gradle
4. A new “Build App Bundle” checkbox appears which you should check
5. Now go to Player Settings
   1. Scripting Backend choose “IL2CPP”
   2. Target Architectures choose all of them
      1. Especially choose ARM64
6. Click Build
7. It will create a “.aab” file in addition to an “.apk” file with the same name
8. Note this makes builds take longer, don't create bundles if you're just troubleshooting your game during development
9. Before you can upload the AAB file to the store, you need to do app signing as follows…

To do Google Play app signing...

1. First you need to encrypt your existing keystore that you already used in Unity
   1. In Unity
      1. File -> Build Settings -> check Export -> Build
   2. In Android Studio
      1. Open that exported Unity project within Android Studio
      2. Top menu, choose Bundle -> Generate Signed Bundle -> Android App Bundle -> Next
      3. Key store path
         1. Locate the existing keystore your Unity project used
         2. Fill in rest of fields
         3. Check box for Export encrypted key
         4. Specify any path you want for this export to be saved to
         5. Click Next
         6. Choose Release
         7. Click Finish
         8. If asked for Java JDK path, copy paste it from Unity -> Preferences -> External Tools -> JDK
         9. If error regarding JDK path
            1. Go back to Step #2 (Generate Signed Bundle) and try everything again, and this time it won’t ask you for the JDK path and it won’t error out
         10. Look for the successfully exported file called “private_key.pepk”
2. Upload your private_key.pepk to Google Play
   1. Go to play.google.com/apps/publish
   2. Navigate to your game
   3. Release Management -> App Signing
   4. Click 1st radio button “Upload a key exported from Android Studio”
   5. Click “App Signing Private Key” button
      1. Choose your private_key.pepk file
      2. Click Finish
   6. You now see the App Signing screen
3. Now upload your Unity “.aab” file to the Google Play store
4. That's it, you now have a properly signed game that supports both 32bit and 64bit and is compatible with Android Pie OS!

 

Can't help but feel Unity or Google could do something to make this a lot easier. Building to Mac was a breeze compared to this. I'm all for democratization of game development, but the complexity of terms and process would seem to preclude that. Maybe some kind of Android version of XCode? An app that has a sole purpose, rather than a suite of tools and a library of new terms and concepts. Looking at you, Google Play Store. Make us a 'launch' button.