We sign an Android application with an internal Google Play key for publication in third-party stores (RuStore, Huawei ..?)

Problem

In the process of publishing my application in RuStore, I encountered the problem of updating the assembly that was originally installed from Google Play. The fact is that a few years ago, when I hosted an application on Google Play, I entrusted Google App Signing with the management of the signing keys. This means that my local key is used as a “boot” one, and users on their devices already receive assemblies signed with the Google internal key. There is no direct access to this key, and, accordingly, I cannot sign the assembly for RuStore with it to seamlessly update the application.

As a result, RuStore suggests deleting the old app and installing the new version from scratch:

An example of a signing key conflict during installation

This leads to a lot of inconvenience – from the need to re-authorize at best, to the loss of a local database and user settings at worst.

Solution 1 – partial

In Google Play, we can disable the Google App Signing system, upload our key and partially solve the problem, but only for new users – the old ones will continue to receive updates from Google Play, signed with their internal key, until the application is completely reinstalled.

Updating the signing key in Google Play to local

Solution 2 – radical

We can separate application versions by changing the applicationId or adding a suffix to it, such as .rustore. In this case, the installation from RuStore will go smoothly, but the application will be duplicated – the device will have both the version from Google Play and from RuStore.

This can be handy if the application stores some data locally and you are afraid of losing it during a full reinstallation. In the new version, you can add a brief instruction on manual migration, if any (for example, a description of how to backup the database file, settings, and restore them).

Solution 3 – Keep using Google Play Internal Signature

But how? We don’t have direct access to the key!

We may continue to use Google App Signing for builds of RuStore and other stores. To do this, you need to set up internal testing in the console and create a new release:

We sign the release APK of the assembly for RuStore locally with our key. Upload to the console and click “Save as project”. The rest of the fields are optional.

After that, go to the App Bundle Explorer and open the latest downloaded version of the application:

Go to the tab “Downloaded files” and click on the button to download distribution APK:

Next, you need to clean the tails. We remove the release from internal testing and after that you can remove the APK from the App Bundle Explorer:

Everything, the signed assembly APK for the RuStore store with the Google App Signing key is ready. First, I advise you to check the update rolling by manually installing the assembly over the version installed from Google Play – everything should go without errors and with the user data of the previous installation saved.

Thus, we were able to solve the problem of signing the application, while our assembly is not sent for verification to Google, since we do not publish it, but use it as a draft. Therefore, Google will not scold us for using third-party billing solutions and other prohibited libraries inside.

Checked on the assembly with integrated billing RuStore. It has not yet been published in the Huawei Store, so I can’t check Google’s reaction to HMS services in assemblies for internal testing. If someone tries, write, I will add to the article.