如何使用上传证书发布应用更新? [英] How to use upload certificate to release an app update?

问题描述

上周我创建了一个应用程序，并通过在 Android Studio 中创建密钥库将它的第一个版本上传到 Play 商店.我想注册 App Signing，但 Play Console 说我需要先上传应用才能注册，所以我上传了应用程序包 (app.aab) 然后注册了该计划，现在我可以看到 2 个证书 - 上传证书和应用程序签名证书.可以选择以 .der 格式下载它们.

Last week I created an app and uploaded the first version of it to play store via creating keystore in Android Studio. I wanted to enroll into App Signing but Play Console said that I first need to upload app before I could enroll into it so I uploaded the app bundle (app.aab) and then enrolled into the program, now I can see 2 certificates - upload certificate and app signing certificate. There is option to download them in .der format.

我该怎么处理这些 .der 文件?为了发布更新，我再次转到 Generate Signed Build，它要求我提供我选择的密钥库并输入密码，然后它生成了更新的签名应用程序包.

What do I do of these .der files? To release an update, I again went to Generate Signed Build and it asked me for keystore which I selected and entered the password and it generated the updated signed app bundle.

在整个过程中，我从未遇到过使用 .der 证书的选项，如果不需要它们，为什么它们会显示在 Play 管理中心的发布管理下的应用签名中.由于 Android Studio 仍在根据我硬盘驱动器上可用的密钥库生成签名版本，我注册的应用签名有什么意义?

In the whole process, I never came across an option to use .der certificate, if they are not required why are they showing in App Signing under Release Management in Play Console. And as Android Studio is still generating signed versions based on keystore available on my hard drive, what is the point of app signing which I enrolled in?

关于应用签名和管理密钥 甚至没有提到这些上传证书.它提到的是使用上传密钥对您的应用进行签名，什么是上传密钥 - Play Console 没有提及它，Android Studio 也没有提及，Android Studio 需要密钥库来生成 .jks 格式的签名构建

The official documentation on App Signing and Managing Keys doesn't even mention about these upload certificates. All it mentions is that sign your app using upload key, what is upload key - Play Console doesn't mention about it and neither does Android Studio, Android studio requires keystore to generate signed builds which is in .jks format

推荐答案

更新: Google 已更新其 有关应用程序签名的文档，使其更易于理解，因此此答案可能是多余的.留给子孙后代.

Update: Google has updated its documentation around App Signing by Play, making it much easier to understand, so this answer is probably redundant. Leaving it for posterity.

tldr;大多数开发人员不需要这些 .der 文件，它们用于高级用例.

问题太多了！好的，系好安全带...

So many questions! OK, buckle up...

只是为了澄清基础以确保我们使用相同的语言:当您在 keystore 中创建密钥时，您实际上是在创建一个密钥对(私钥和公钥)以及证书.该证书包含我们所说的专有名称(包括您的姓名、公司名称等)和公钥.因此，该证书是所有公开信息，并且在您对其进行签名以供任何人查看时实际上已添加到您的 APK 中.私钥保留在您的密钥库中，是使其他人无法以可通过您的证书验证的方式签署您的 APK 的秘密.由于术语太多，而且人们通常不太熟悉底层的密码学概念，因此您经常会看到人们只是交替使用术语密钥库"、密钥"和证书".

Just to clarify the basics to make sure we use the same language: when you create a key in a keystore, you're actually creating a key pair (a private key and a public key) as well as a certificate. The certificate contains what we call the distinguished name (with your name, company name, etc.) and the public key. The certificate is thus all public information and is actually added to your APK when you sign it for anyone to see. The private key remains in your keystore and is the secret which makes it impossible for anyone else to sign your APK in a way that can be verified with your certificate. Because there are so many terms and people are in general not so familiar with the underlying cryptography concepts, you'll often see people just use the terms "keystore", "key" and "certificate" interchangeably.

当您注册应用签名时，您会将您的私钥发送给 Google，以便 Google 可以代表您对 APK 进行签名.目的有三:

When you enroll in App Signing, you send your private key to Google so Google can sign the APKs on your behalf. The purpose is threefold:

• 优势 #1 - 应用优化:当您上传 Android App Bundle 时，Google 将能够代表您签署它生成的 APK.主要好处是为您的应用节省了大小，但超出了本文的范围.
• 好处#2 - 密钥丢失事件:无论您上传的是 APK 还是 Android App Bundle，如果您丢失了密钥，Google 仍有一份副本，因此您仍然可以更新通过上传使用新密钥签名的 APK(此操作称为上传密钥重置)，Google 仍然可以使用您的原始应用签名密钥对您的 APK 进行签名.否则，如果您丢失了密钥，您将无法再对您的应用进行任何更新.
• 好处 #3 - 密钥泄露事件:如果您使用与应用签名密钥不同的密钥(即上传密钥)对上传到 Play 管理中心的 APK 进行签名，那么您在您的应用签名密钥可能会被泄露(您可以将它放在具有受限 ACL 的驱动器上，因为您将不再使用它，而不是与您公司的许多开发人员共享它).如果您的上传密钥被盗用，Google 可以更改它.如果您的应用签名密钥被泄露(例如泄露)，那么您或 Google 将无能为力，其他人可以签署冒充您的应用的 APK 并将其分发到某些应用商店或网站.

• Benefit #1 - App optimizations: When you upload an Android App Bundle, Google will be able to sign APKs it generates on your behalf. Main benefit is size savings for your app, but outside of scope of this post.
• Benefit #2 - Key loss event: Regardless whether your upload an APK or an Android App Bundle, if you lose your key, Google still has a copy, so you will still be able to update your app by uploading APKs signed with a new key (this operation is called upload key reset), and Google will still be able to sign your APKs with your original app signing key. Without this, if you lost your key, you wouldn't be able to make any update to your app anymore.
• Benefit #3 - Key compromised event: If you sign the APKs you upload to the Play Console with a different key (i.e. the upload key) than your app signing key, then you are less at risk to have your app signing key compromised (you could just put it on a drive with restricted ACLs since you wouldn't be using it anymore, instead of sharing it with many developers of your company). If your upload key is compromised, Google can just change it. If your app signing key were compromised (e.g. leaked), then there is nothing you or Google could do, and someone else could sign APKs pretending to be your app and distribute them in some app stores or websites.

您可以看到现在有两种密钥(和关联的证书):

You can see that there are now two kinds of keys (and associated certificates):

• 应用签名密钥:这是用于对交付给用户的 APK 进行签名的密钥.
• 上传密钥:这是 Google Play 用来识别您上传到 Play 管理中心的 APK 的来源和完整性的密钥.

• App Signing key: This is the key that is used to sign the APKs that are delivered to your users.
• Upload key: This is the key that Google Play uses to identify the origin and integrity of the APKs you upload to the Play Console.

哦，是的，我还应该提到:有两种方法可以注册 App Signing.

Oh yes, I should also mention: There are two ways to enroll in App Signing.

1. 您是一个新应用，在您首次上传应用时，系统会提示您是否要加入应用签名.如果您在此阶段注册，Google 会为您生成应用签名密钥，并将您对上传的工件进行签名的密钥视为上传密钥.
2. 您是一个现有应用(即您已经上传了一个 APK 而未注册)，在这种情况下，您必须使用名为 PEPK 的工具传输您的应用签名密钥并创建一个新的此时上传密钥.

1. You're a new app and during your first app upload, you're prompted whether you want to join in App Signing. If you enroll at this stage, Google generates for you the App Signing key and considers the key you signed your uploaded artifact with to be the upload key.
2. You're an existing app (i.e. you've already uploaded an APK without being enrolled), in which case you have to transfer your app signing key using a tool called PEPK and create a new upload key at this time.

对于现有应用，在注册应用签名时创建上传密钥是可选的.这适用于只对利用 Benefit #1 感兴趣的人.不过，Google 强烈建议您创建一个上传密钥并开始上传用它签名的 APK/捆绑包，以避免出现好处 #2 和 #3(密钥丢失/泄露)中描述的灾难性情况.

For existing apps, creating an upload key is optional when enrolling in App Signing. This is for people who are only interested in taking advantage of Benefit #1. Google highly recommends to create an upload key though and start uploading APKs/Bundles signed with it to avoid the catastrophic scenarios described in Benefit #2 and #3 (key lost/compromised).

您理所当然地注意到，即使您创建了上传密钥，您仍然可以上传使用您的应用签名密钥签名的 APK.尽管这似乎适得其反，但 Google 这样做的主要原因是让开发人员可以切换到 Android App Bundle(要求 App Signing 注册)并在测试轨道中对其进行测试，同时仍然能够将 APK 推送到使用他们的应用签名密钥签名的生产轨道.这让开发人员有时间测试和研究如何在他们的构建过程中完成这项工作，而不会阻碍他们当前的生产发布过程.

And as you rightfully noticed, even when you create an upload key, you can still upload APKs signed with your app signing key. Although this seems counter-productive, the main reason Google did this was to give developers a way to switch to the Android App Bundle (which requires the enrollment in App Signing) and test it in a testing track while still being able to push APKs to their production track signed with their app signing key. This gives developers time to test and work out how to make this work in their build process without blocking their current production release process.

请注意，因为您仍然可以上传使用应用签名密钥签名的 APK，并不意味着您应该.如果您想利用好处 #3，您需要开始上传使用上传密钥签名的 APK.

Note that because you can still upload APKs signed with the app signing key doesn't mean you should. If you want to take advantage of Benefit #3, you would need to start uploading APKs signed with the upload key.

--

现在，回到这些 .der 文件......好吧，很快！

Now, back to these .der files... well, soon!

当您的 Android 应用与第三方 API(例如 Google API、Facebook API 等)通信时，您通常需要注册您的应用.此注册通常需要两条信息:包名称和证书指纹(例如 SHA1).此注册可确保只有具有您的软件包名称​​并且使用您的应用签名密钥签名的应用才能使用您对该 API 的配额.

When your Android app communicates with third-party APIs (e.g. Google APIs, Facebook API, etc.), you usually have to register your app. This registration usually requires two pieces of information: package name and fingerprint of the certificate (e.g. SHA1). This registration guarantees that only the app with your package name and signed with your app signing key will be able to use your quota of that API.

所有开发人员都知道他们的包名称，但很多人经常问如何获取证书的指纹.Stackoverflow 是一个很好的地方，可以找到要运行的正确命令以从您的密钥库中提取它，但 Play Console 也将其显示为一种方便(对于要求 Google 生成应用签名的开发人员来说，这也很重要密钥，因为他们没有带有应用签名密钥的密钥库).这就是您看到应用签名证书的 MD5、SHA1 和 SHA256 的原因.

All developers know their package name but many often ask how to get the fingerprint of the certificate. Stackoverflow is a great place to find the right commands to run to extract it from your keystore, but Play Console also displays it as a convenience (and it's also vital for developers who ask Google to generate the app signing key for them since they don't have the keystore with the app signing key). That's why you see the MD5, SHA1 and SHA256 of your app signing certificate.

我看到您现在在问好吧，显示应用签名证书的指纹是有意义的，但为什么还要显示上传证书的指纹?"这是一个很好的问题，谢谢你的提问.如果您在将 APK 上传到 Play 管理中心之前使用上传密钥对其进行签名，则您可能希望之前测试这些工件，因此，如果您与任何第三方 API 有任何集成，则还需要注册此证书！

I see you're now asking "OK, it makes sense to show the fingerprints of the app signing certificate, but why show the fingerprints of the upload certificate as well?" and that's a great question, thanks for asking. If you sign your APKs with the upload key before uploading them to the Play Console, you may want to test these artifacts before, and thus, if you have any integration with any third-party API, you will need to register this certificate as well!

好的，现在，我们终于可以访问 .der 文件了.

OK, now, we're finally getting to the .der files.

.der 文件就是证书. Play Console 不仅可以让您看到证书的指纹，还可以让您完整下载它们.开发人员可能需要它们的唯一原因是第三方 API 需要使用不同类型的指纹注册您的应用程序.例如，Facebook API 需要使用证书的 SHA1 二进制表示的 Base64 进行注册.您无法根据 Play 管理中心显示的指纹计算出该值，因此您必须在原始证书上手动运行一些命令.

The .der files are the certificates. Play Console allows you not only to see the fingerprints of the certificates, but also allows you to download them in full. The only reason a developer might need them is when a third-party API requires to register your app with a different kind of fingerprint. The Facebook API for example requires to register with the Base64 of the binary representation of the SHA1 of the certificate. You can't compute that from the fingerprints that the Play Console displays, so you have to run a few commands manually on the original certificate.

[来源:我在 Google 工作并实现了大部分内容]

[Source: I work at Google and implemented most of it]

这篇关于如何使用上传证书发布应用更新?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！