How to modify "SHA1" in my released keystore app - google-play

I made my app using appsgeyser of which was version0.1.
I made the same app with more features on phonegap and updated my version to 0.2.
Everything goes fine
BUT
while uploading my apk to google store under the same app
it says that my SHA1 is modified and I have to use the same certificate.
what shall I do?
Thanks

Play store requires .apk to be signed before you can publish it there.
If you've made an app with AppsGeyser and published it to Play then your application is signed by the AppsGeyser private keys (unless you've explicitly signed the .apk before publising it or if you've provided your secret keystore to AppsGeyser which is unlikely).
AppsGeyser wont give you their keystore and you need it to be able to sign new version of your software. Here is the quote from docs about this:
Your private key is required for signing all future versions of your application. If you lose or misplace your key, you will not be able to publish updates to your existing application. You cannot regenerate a previously generated key.
In other words you have 2 options here. Either stick with AppsGeyser and update your app using their services or publish update to your application as a whole new appliation.

Related

Difference between Expo managed project keystore file, and the Google Play upload keystore

I'm building a React Native app using the Expo managed project process. Upon completion, when I run expo build:android I am prompted that I need a keystore file associated with my project. I chose to let Expo handle the keystore file process for me. The app builds and I have a .aab file. Great.
Then when I upload to the Play Store, I am prompted by Google Play to ask me if I want Google to store and handle my upload keystore/certificate. This is I believe a requirement now. I also selected yes for this option. It generates its own keystore file and stores SHA-1, MD5 Certificate, etc. These are different than my Expo-produced ones.
So now I have a keystore file generated by Expo that is associated with my app, and an upload keystore file generated by Google Play associated with my app.
I was able to upload my .aab file to Google Play and it is available in the internal testing track which I am currently using to review the app. But I am unclear which keystore file is the one now associated with my app.
Are these the same file or different? If the same, which keystore file prevails? Does Google overwrite the Expo one?
Thank you.
Google play is using two sets of certs/keys
"app signing" one is used to sign application that are in store, unless you are migrating from the old app you will never see that key, it's generated and managed by google, only thing you might need from it is SHA-1 fingerprint that can be used in third party apps to identify your app
"upload" one is certificate that you need to use to sign your app before uploading it to google. Google needs only public key of that upload certificate.
When you are uploading app to the store google is removing "upload" cert signature and it's signing it with "app signing" certificate
When you are generating app using expo cli it generates random keystore that contains private and public key. At this point keystore is not connected in any way to google account, that connection is established when you upload first application, at this point google saves public key extracted from apk/aab and from this point only applications signed using that keystore can be uploaded to the store

Developer asking for my keystore and passwords

I am the owner of multiple apps on google play. I have a keystore for each app. Now I am outsourcing to a developer and this person is also helping me with stuff on google play developer console such as in-app purchases. He is now saying he needs the keystore and the related passwords to sign a release. I do not want to share those for security reasons. What should I do in this case? is there any workaround to allow him to continue working without sharing keystore and credentials?
You can perform the release yourself. After all you just have to compile the code and sign it. (I asume you use GIT).
You could use the Google App Sign, the signing data it's hosted in your google developer account and not in an external keystore, each time you upload an update google play will sign it. Take a look at this please: https://support.google.com/googleplay/android-developer/answer/7384423

Is it possible for a user on Google Play Store to upload an application instead of the owner?

Lets say A is the owner. I want B, C and D users from our team to be able to upload the new versions of our application. Is this possible?
From this it is not very clear to me what kind of permission has a user.
If somebody has any experience to this part is welcome.
You need the google account details to sign in to the Developer Console.
Any application uploaded to the play store must be signed.
From Google documentation
Android requires that all apps be digitally signed with a certificate before they can be installed. Android uses this certificate to identify the author of an app, and the certificate does not need to be signed by a certificate authority. Android apps often use self-signed certificates. The app developer holds the certificate's private key.
Signed apk file have a binary file it build and signed with.
Only the developer have this file on his own computer . Once an application first signed and was uploaded to the store all the other versions of the app must build and be signed against the same binary file.
If a developer looses this file he will no longer be able to publish updates to his own app .
Warning: Keep your keystore and private key in a safe and secure place, and ensure that you have secure backups of them. If you publish an app to Google Play and then lose the key with which you signed your app, you will not be able to publish any updates to your app, since you must always sign all versions of your app with the same key.
(from the same link)
It is possible to add another user permission to your Developer console.
Here list of permissions you can choose to share:
Create & edit draft apps
Edit store listing, pricing & distribution
Manage Production APKs
Manage Alpha & Beta APKs
Manage Alpha & Beta users
View financial reports
Reply to reviews
Edit games
Publish games
View AdWords campaigns
Create AdWords campaigns
These permissions can be Global to all apps on account or only for particular apps.
Anyway if you share Manage Production APKs permission you'll have to share the signature file as well.

Deploy self signed XAP to windows phone 8

we developed an app for WP8 and wanted to distribute it internally via a download URL to the XAP file. Steps we have taken so far:
Use Makecert.exe to generate a self signed XXX.cer with a XXX.pvk (with no password)
Used Pvk2Pfx.exe to create a pfx file which includes the private key (with a password)
Used XapSignTool.exe to sign our XXX_Release.xap
We also deployed the XXX.cer to the phone device but we still get the error "Can't install company app".
After that we tried to generate a Application enrollment token (AET) with AetGenerator.exe (not 100% sure if we do need this) from out XXX.pfx which exits with an error:
Unknown error while generating AET startIndex cannot be larger than
length of string. Parameter name: startIndex
Any ideas what we are doing wrong or suggestions what would be the way to distribute an app like that? Is it only possible if we have obtained a certificate from Symantec?
Thanks!
PS: I just browsed throught the MS Documentation and for the PFX parameter of the AETGenerator it states:
Required. The name of the PFX file generated from the enterprise mobile code-signing certificate provided by Symantec.
So most probably it seems that a Symantec $299/year certificate is required. Would this be the correct assumption?
It was indeed as it seemed. You can sign you code with any self signed pfx generated after the latest documentation on the pfx tool.
It is not possible to deploy an App without a company account. This involves paying the $299 and going through the certification process by Symantec.

Re-enrollment after upgrading Apple Push Certificate

Can anyone confirm that after changing the Apple Push Certificate to follow the new steps, you have to re-enroll all the devices?
I have tried creating the CSR based on the existing P12 key store, and afterwards creating a new P12 key store with the Apple signed public key. When using this new key store I am able to enroll devices, but all devices already enrolled needs to be re-enrolled.
After much search I found the answer at McAfee.
If you obtained your previous MDM certificate using an Apple Developer's Account your old certificate has been migrated to the new Apple Push Certificates Portal...
This explains everything. A my work we have one idep user that created the old certificate for me. When I signed in using my own Apple ID, naturally I was not able to see the migrated certificate.

Resources