App signing by google play or our own?

Post reply

❤Follow Topic(5)

0 favourites

9 posts

From the Asset Store

Google Analytics 4

$6 USD

Google Analytics 4 Plugin for Construct 3 enables metrics and analytics for your games easily.

ppstudiomty

- RafaelMatos
- - Joined 8 Mar, 2014
  - 129 topics • 752 posts
- 1
- 23 Feb, 2019
- Quote
Hi. I don't upload anything to play store in 4 years. Play console and things got really different now and I saw that we have the option to let google handle the signing process. So what you guys do?

Is it the best let google handle it? I seams like a better option because of the app bundle thing and you don't really need to bother with it too.

Thanks.
Tagged:

apk
app-signing
- Nepeo
- - Joined 8 Mar, 2016
  - 5 topics • 730 posts
- 1
- 25 Feb, 2019
- Quote
App bundle is cool, but I'm not sure it has many advantages for Construct yet. App signing is good if your worried about losing your keystore or access to it, but that can be solved by good backup strategies. It also has the downside that you still have to have a keystore for signing ( they check that it was you that signed the APK then resign it ). Also your key signature will be different, making testing anything to that uses Google Auth ( Play services for instance ) awkward.
- Ashley Construct Team Founder
- Moderator
- - Joined 21 May, 2007
  - 667 topics • 30,053 posts
- 1
- 25 Feb, 2019
- Quote
The tutorial How to publish mobile apps covers a few of the options.

App bundles are kind of interesting for the larger app size you can publish, but right now I think you'd have to do an export via Android Studio to use that.
- RafaelMatos
- - Joined 8 Mar, 2014
  - 129 topics • 752 posts
- 1
- 26 Feb, 2019
- Quote
Well, I used the c3 service and built a signed apk but, in play console, I chose the option, which let google manage my keys, when I've uploaded my apk in alpha stage.

App bundle is cool, but I'm not sure it has many advantages for Construct yet. App signing is good if your worried about losing your keystore or access to it, but that can be solved by good backup strategies. It also has the downside that you still have to have a keystore for signing ( they check that it was you that signed the APK then resign it ). Also your key signature will be different, making testing anything to that uses Google Auth ( Play services for instance ) awkward.

What do you mean by awkward? My key signature that I got on export will be different how?

Well, if the only benefit is the backup security that google can provide, I believe I'm not using it then. Gonna have to start again but, since It is in alpha with just 2 testers, I believe I can restart the process again with a new app project in Play Console, right?
- Nepeo
- - Joined 8 Mar, 2016
  - 5 topics • 730 posts
- 1
- 26 Feb, 2019
- Quote
The signature is a string that is unique to your signing key.

When you set up an application to use Google Authentication ( sign in with google account, only used for Google Play Games at the moment ) they provide you with an application key which is unique to your app, and you provide them with the signature for your signing key.

Then in your app when it attempts to use that application key the sign in service checks the signature of the key which was used for the APK, if it doesn't match the sign in window doesn't appear. It's a pretty solid security system, but one that can be awkward.

If you use their signing service, then your application has been signed with a different key that you don't have so the signature doesn't match. I believe they provide you with the signature for the key, so you can change the signature to match. However, it does mean that you cannot produce a working build without at least publishing it via an alpha channel.
- RafaelMatos
- - Joined 8 Mar, 2014
  - 129 topics • 752 posts
- 1
- 27 Feb, 2019
- Quote
The signature is a string that is unique to your signing key.

When you set up an application to use Google Authentication ( sign in with google account, only used for Google Play Games at the moment ) they provide you with an application key which is unique to your app, and you provide them with the signature for your signing key.

Then in your app when it attempts to use that application key the sign in service checks the signature of the key which was used for the APK, if it doesn't match the sign in window doesn't appear. It's a pretty solid security system, but one that can be awkward.

If you use their signing service, then your application has been signed with a different key that you don't have so the signature doesn't match. I believe they provide you with the signature for the key, so you can change the signature to match. However, it does mean that you cannot produce a working build without at least publishing it via an alpha channel.

All made sense. Thanks for the great explanation! I'm going to manage my own keys now.
Try Construct 3

Develop games in your browser. Powerful, performant & highly capable.
Try Now Construct 3 users don't see these ads
- PixelImpact
- - Joined 4 Nov, 2013
  - 17 topics • 57 posts
- 1
- 10 Dec, 2019
- Quote
EDITED:

Questions about the advantages of the Google Authentification
- Nepeo
- - Joined 8 Mar, 2016
  - 5 topics • 730 posts
- 1
- 11 Dec, 2019
- Quote
PixelImpact The main advantage of Google App signing is that the main key is held safely by Google, meaning you cannot lose it or have it stolen and compromised by a malicious 3rd party.
Normally when you sign an application you are basically saying that you made it. Whatever system runs your application can see if it's been tampered with, and decide not to run it as well. Unless someone has your key and passwords they cannot sign as if it was you.

In the Android ecosystem you sign the APK and it goes unmodified until it reaches the user, so the users device can tell you signed it. If the key changes then neither the store or the user can confirm that you created the APK, so it's considered invalid.

The Google App signing changes this. You sign the APK, and the store verifies that it was you that signed it. Then the store signs it with a different key it holds securely. The end user only ever sees the last key. This means if you need to use a new key, you can securely tell Google your using a new one and to not trust the older one anymore. Users don't see any difference.

There is a second reason to do this. If you decide to use the newer Android App Bundle (AAB) format you need to use app signing with it. The reason being that AAB files are like a half built APK. The store decides what parts of the AAB are needed by the user, then creates an APK from those parts and signs it with the key.

I don't believe you can swap to using Google App Signing once you've published an app, because the users device would not recognise the signature. But I haven't read into it much.
- PixelImpact
- - Joined 4 Nov, 2013
  - 17 topics • 57 posts
- 1
- 11 Dec, 2019
- Quote
Nepeo Thank you for the great explanations and sorry for the edditing of my previous post, I figured some things and I wanted not to overload the forum but I was to quick to edit :)
So just to be sure on the process :

I export my signed app with the signature I create > I upload my app on the Play Console > I upload my signature file there too if I want to have the Google Authentification and if I loose it, I can ask google another one (which will be quite the same process).

Any idea where I can upload the key to store it in the Play Console?

Because all I have is :

Also do I have to use a AAB and/or Android Studio to have the Google Signing? Because I would rather much not use Android Studio and export straigt from Construct.

(is a AAB really better or it's just a size matter? (my APK make 11mo and my AAB 10.5 so not much of a difference)

Thank again for the support !