如何使用上传证书发布应用更新? [英] How to use upload certificate to release an app update?

问题描述

上周，我创建了一个应用程序，并通过在Android Studio中创建密钥库上载了该应用程序的第一个版本以播放商店.我想注册App Signing，但Play Console说我需要先上传应用程序，然后才能注册，所以我先上传了应用捆绑包(app.aab)，然后注册了该程序，现在我可以看到2个证书-上传证书和应用签名证书.可以选择以.der格式下载它们.

Last week I created an app and uploaded the first version of it to play store via creating keystore in Android Studio. I wanted to enroll into App Signing but Play Console said that I first need to upload app before I could enroll into it so I uploaded the app bundle (app.aab) and then enrolled into the program, now I can see 2 certificates - upload certificate and app signing certificate. There is option to download them in .der format.

这些.der文件怎么办?要发布更新，我再次转到Generate Signed Build，它询问我选择并输入密码的密钥库，并生成了更新的签名应用程序捆绑包.

What do I do of these .der files? To release an update, I again went to Generate Signed Build and it asked me for keystore which I selected and entered the password and it generated the updated signed app bundle.

在整个过程中，我从来没有遇到过使用.der证书的选项，如果不需要的话，为什么它们会显示在Play控制台的发行管理"下的应用签名"中.而且，由于Android Studio仍基于硬盘上可用的密钥库生成签名版本，因此我注册的应用程序签名有什么意义?

In the whole process, I never came across an option to use .der certificate, if they are not required why are they showing in App Signing under Release Management in Play Console. And as Android Studio is still generating signed versions based on keystore available on my hard drive, what is the point of app signing which I enrolled in?

有关应用签名和

The official documentation on App Signing and Managing Keys doesn't even mention about these upload certificates. All it mentions is that sign your app using upload key, what is upload key - Play Console doesn't mention about it and neither does Android Studio, Android studio requires keystore to generate signed builds which is in .jks format

推荐答案

更新:Google已更新其

Update: Google has updated its documentation around App Signing by Play, making it much easier to understand, so this answer is probably redundant. Leaving it for posterity.

tldr;大多数开发人员不需要这些.der文件，它们是用于高级用例的.

这么多问题！好，系好安全带...

So many questions! OK, buckle up...

只是为了澄清基础知识以确保我们使用相同的语言:当您在 keystore 中创建密钥时，实际上是在创建密钥对( 私钥和公钥)以及证书.证书包含我们称为专有名称(带有您的姓名，公司名称等)和公用密钥的名称.因此，该证书是所有公共信息，实际上是在您签名时将其添加到您的APK中的，任何人都可以查看.私钥保留在您的密钥库中，并且是秘密，这使得其他任何人都无法以可以通过证书验证的方式对您的APK进行签名.因为有太多的术语，而且人们通常对底层的加密概念不太熟悉，所以您经常会看到人们只是互换使用术语密钥库"，密钥"和证书".

Just to clarify the basics to make sure we use the same language: when you create a key in a keystore, you're actually creating a key pair (a private key and a public key) as well as a certificate. The certificate contains what we call the distinguished name (with your name, company name, etc.) and the public key. The certificate is thus all public information and is actually added to your APK when you sign it for anyone to see. The private key remains in your keystore and is the secret which makes it impossible for anyone else to sign your APK in a way that can be verified with your certificate. Because there are so many terms and people are in general not so familiar with the underlying cryptography concepts, you'll often see people just use the terms "keystore", "key" and "certificate" interchangeably.

注册应用签名时，会将私钥发送给Google，以便Google可以代表您对APK进行签名.目的是三重的:

When you enroll in App Signing, you send your private key to Google so Google can sign the APKs on your behalf. The purpose is threefold:

• 好处1-应用优化:当您上传 Android应用捆绑包时，Google将能够为您生成的APK签名.主要好处是可以为您的应用节省尺寸，但超出了本文的范围.
• 好处2-密钥丢失事件:无论您上传的是APK还是Android应用程序捆绑包，如果丢失了密钥，Google仍然会保留副本，因此您仍然可以进行更新通过上传用新密钥签名的APK(此操作称为上载密钥重置)来使您的应用生效，Google仍然可以使用原始应用签名密钥对您的APK进行签名.没有这个，如果您丢失了密钥，您将无法再对您的应用程序进行任何更新.
• 好处3-密钥泄露事件:如果您使用与应用签名密钥不同的密钥(即上传密钥)对上传到Play控制台的APK进行签名，那么冒着使您的应用程序签名密钥受损的风险(您可以将其放在具有受限ACL的驱动器上，因为您将不再使用它，而不是与公司的许多开发人员共享它).如果您的上传密钥被盗，Google可以对其进行更改.如果您的应用签名密钥被盗用(例如，泄露)，那么您或Google便无能为力，并且其他人可以对假装为您的应用的APK进行签名，然后将其分发到某些应用商店或网站中.

• Benefit #1 - App optimizations: When you upload an Android App Bundle, Google will be able to sign APKs it generates on your behalf. Main benefit is size savings for your app, but outside of scope of this post.
• Benefit #2 - Key loss event: Regardless whether your upload an APK or an Android App Bundle, if you lose your key, Google still has a copy, so you will still be able to update your app by uploading APKs signed with a new key (this operation is called upload key reset), and Google will still be able to sign your APKs with your original app signing key. Without this, if you lost your key, you wouldn't be able to make any update to your app anymore.
• Benefit #3 - Key compromised event: If you sign the APKs you upload to the Play Console with a different key (i.e. the upload key) than your app signing key, then you are less at risk to have your app signing key compromised (you could just put it on a drive with restricted ACLs since you wouldn't be using it anymore, instead of sharing it with many developers of your company). If your upload key is compromised, Google can just change it. If your app signing key were compromised (e.g. leaked), then there is nothing you or Google could do, and someone else could sign APKs pretending to be your app and distribute them in some app stores or websites.

您可以看到现在有两种密钥(和关联的证书):

You can see that there are now two kinds of keys (and associated certificates):

• 应用程序签名密钥:这是用于对交付给用户的APK进行签名的密钥.
• 上传密钥:这是Google Play用来识别您上传到Play控制台的APK的来源和完整性的密钥.

• App Signing key: This is the key that is used to sign the APKs that are delivered to your users.
• Upload key: This is the key that Google Play uses to identify the origin and integrity of the APKs you upload to the Play Console.

哦，是的，我还应该提到:有两种注册App Signing的方法.

Oh yes, I should also mention: There are two ways to enroll in App Signing.

1. 您是新应用，并且在您首次上传应用时，系统会提示您是否要加入应用签名".如果您在此阶段注册，则 Google会为您生成应用程序签名密钥，并将您用来签署上传的工件的密钥视为上传密钥.
2. 您是现有的应用(即您已经上传了APK但未注册)，在这种情况下，您必须使用名为PEPK的工具来转移应用签名密钥并创建一个新的此时上传密钥.

1. You're a new app and during your first app upload, you're prompted whether you want to join in App Signing. If you enroll at this stage, Google generates for you the App Signing key and considers the key you signed your uploaded artifact with to be the upload key.
2. You're an existing app (i.e. you've already uploaded an APK without being enrolled), in which case you have to transfer your app signing key using a tool called PEPK and create a new upload key at this time.

对于现有应用，注册应用签名时，创建上传密钥是可选的.这是针对只对利用 Benefit#1 优势感兴趣的人的. Google强烈建议您创建一个上传密钥，并开始上传与其签名的APK/Bundle，以避免#2和#3 中描述的灾难性情况(密钥丢失/损坏).

For existing apps, creating an upload key is optional when enrolling in App Signing. This is for people who are only interested in taking advantage of Benefit #1. Google highly recommends to create an upload key though and start uploading APKs/Bundles signed with it to avoid the catastrophic scenarios described in Benefit #2 and #3 (key lost/compromised).

正如您正确地注意到的那样，即使您创建了上传密钥，您仍然可以上传使用您的应用签名密钥签名的APK .尽管这似乎适得其反，但Google这样做的主要原因是为开发人员提供了一种切换到Android App Bundle(需要注册App Signing)的方法，并在测试过程中对其进行了测试仍然能够将APK推入使用其应用签名键签名的生产轨道.这使开发人员有时间测试并确定如何在构建过程中完成这项工作，而不会阻塞当前的产品发布过程.

And as you rightfully noticed, even when you create an upload key, you can still upload APKs signed with your app signing key. Although this seems counter-productive, the main reason Google did this was to give developers a way to switch to the Android App Bundle (which requires the enrollment in App Signing) and test it in a testing track while still being able to push APKs to their production track signed with their app signing key. This gives developers time to test and work out how to make this work in their build process without blocking their current production release process.

请注意，因为您可以仍然上传使用应用签名键签名的APK，并不意味着您应该 .如果您想利用 Benefit#3 的优势，则需要开始上传使用上传密钥签名的APK.

Note that because you can still upload APKs signed with the app signing key doesn't mean you should. If you want to take advantage of Benefit #3, you would need to start uploading APKs signed with the upload key.

-

现在，回到这些.der文件...好吧，很快！

Now, back to these .der files... well, soon!

当您的Android应用与第三方API(例如Google API，Facebook API等)进行通信时，通常必须注册您的应用.此注册通常需要两条信息:程序包名称和证书的指纹(例如SHA1).此注册保证只有使用您的包名和用您的应用程序签名密钥签名的应用程序才能使用该API的配额.

When your Android app communicates with third-party APIs (e.g. Google APIs, Facebook API, etc.), you usually have to register your app. This registration usually requires two pieces of information: package name and fingerprint of the certificate (e.g. SHA1). This registration guarantees that only the app with your package name and signed with your app signing key will be able to use your quota of that API.

所有开发人员都知道他们的软件包名称，但是许多开发人员经常问如何获取证书的指纹. Stackoverflow是找到正确的命令以运行以从密钥库中提取它的好地方，但是 Play控制台也将其显示为方便(对于要求Google生成应用程序签名的开发人员来说，这一点也至关重要为他们设置密钥，因为他们没有带有应用签名密钥的密钥库).这就是为什么您看到应用程序签名证书的MD5，SHA1和SHA256的原因.

All developers know their package name but many often ask how to get the fingerprint of the certificate. Stackoverflow is a great place to find the right commands to run to extract it from your keystore, but Play Console also displays it as a convenience (and it's also vital for developers who ask Google to generate the app signing key for them since they don't have the keystore with the app signing key). That's why you see the MD5, SHA1 and SHA256 of your app signing certificate.

我看到您现在在问:好，显示应用程序签名证书的指纹很有意义，但是为什么还要显示上传证书的指纹呢?"这是一个很好的问题，谢谢您的提问.如果您在使用APK上载密钥对APK进行签名之前将其上传到Play控制台，则可能需要先测试这些工件，因此，如果您与任何第三方API集成在一起，则也需要注册此证书！

I see you're now asking "OK, it makes sense to show the fingerprints of the app signing certificate, but why show the fingerprints of the upload certificate as well?" and that's a great question, thanks for asking. If you sign your APKs with the upload key before uploading them to the Play Console, you may want to test these artifacts before, and thus, if you have any integration with any third-party API, you will need to register this certificate as well!

好的，现在，我们终于可以找到.der文件了.

OK, now, we're finally getting to the .der files.

.der文件是证书.使用Play Console，您不仅可以查看证书的指纹，还可以完整下载它们.开发人员可能需要它们的唯一原因是当第三方API需要使用其他种类的指纹来注册您的应用程序时.例如，Facebook API需要向证书的SHA1的二进制表示形式的Base64注册.您无法根据Play控制台显示的指纹进行计算，因此必须在原始证书上手动运行一些命令.

The .der files are the certificates. Play Console allows you not only to see the fingerprints of the certificates, but also allows you to download them in full. The only reason a developer might need them is when a third-party API requires to register your app with a different kind of fingerprint. The Facebook API for example requires to register with the Base64 of the binary representation of the SHA1 of the certificate. You can't compute that from the fingerprints that the Play Console displays, so you have to run a few commands manually on the original certificate.

[来源:我在Google工作，并实施了其中的大部分内容]

[Source: I work at Google and implemented most of it]

这篇关于如何使用上传证书发布应用更新?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！