Google Play App Signing can store your signing key in the cloud

Android Police

By Ryne Hager

Published May 18, 2017

Google has just introduced a service called Google Play App Signing that allows you to store your app signing keys on Google's servers. This means your keys can't be lost or maliciously destroyed, as sometimes happens. And you won't have to worry about multiple apps using the same key by accident (which also happens).

For the uninitiated, the app signing key is a security thing for verifying updates. When you download a new version of an app your phone doesn't just trust the name or manifest implicitly, it does a quick check to make sure that it was signed by the correct key. Depending on the source of the file the update could have malicious modifications, so this is a step to make sure updates you download are legitimate. (Let this also serve as a PSA that your signing keys might be included in your build files if you haven't already changed how those are stored and can end up public if you put them on GitHub. You can change that with the info here.)

The new service means you can hand those keys to Google so that you don't have to worry about where they are or who has them. Google will then sign your apps with your key for you after you sign them with your new "upload key" and push them to Play. I don't know if this will allow for developers to continue to self-distribute with their previous keys outside of the Play Store, but assuming your app keys don't need to be changed to join the service then you should be able to self-sign as needed. Granted, that removes the convenience.

Keep in mind, opting into Google Play App Signing is a permanent change, and you cannot withdraw or remove your keys from their servers. That might mean that you'd have to re-release any apps again separately if you decide to leave, so make sure it's something you want to do.

This is another good tool to have come out of I/O for developers. After all, I/O is a developer conference, and Google certainly hasn't forgotten who makes the apps these days. If you are interested, feel free to check out the new Google Play App Signing in greater detail at the source below.

Source: Google