1

In Azure DevOps, I'm unzipping an aab, modifying some files (icons, resources, manifest) in the aab, and using bundletool to build the modules. My next steps are:

  1. Use jarsigner to sign the aab
  2. Use bundletool to generate the APKS and passing the signing information
  3. Unzip/extract the universal APK in it
  4. Use jarsigner to sign the APK and send it to test devices

I am assuming that I'm signing more times than necessary since I'm doing it 3 times (the AAB, the APKS, and the APK). Which signing is necessary? It only takes less than 10s for each signing task, but each task adds extra complexity and I would like this as simple as possible for re-usability.

valdetero
  • 4,624
  • 1
  • 31
  • 46

2 Answers2

5

Here's a summary of the required signing:

App Bundle (.aab)

Signing needed (with jarsigner) before uploading to the Play Store.

No signing needed during development or testing.

APK Set (.apks)

Signing not needed. Ever.

APKs (.apk) (the ones inside the APK Set)

Signature always required (unless you're not going to install those APKs).

Bundletool will automatically sign them the APKs it generates in the .apks when pass the --ks flag, so most devs never have to do it themselves.

However, you've mentioned that you modify "some files": if you modify the APKs, you will need to sign them again (ideally with apksigner and not jarsigner -- more secure, and makes APKs faster to install).

Pierre
  • 15,865
  • 4
  • 36
  • 50
  • You said APK Set never needs signing, but you mention bundletool will do it if you pass `--ks`. That is what I'm doing in Step 2. – valdetero Aug 06 '20 at 23:02
  • the files that I'm modifying are in the aab and not the APK/S. Once I rebuild the AAB, I'm done with any modifying. – valdetero Aug 06 '20 at 23:03
  • Bundletool signs the APKs (as in plural of APK, i.e. the .apk files), it does not sign the "APK Set" (i.e. the .apks file). If you only modify the files in the AAB and pass the --ks flag to bundletool, then the only signing you need to do is the AAB before uploading to Play Console. Other than that, the .apk files are already signed and the .apks file does not need to be signed. I hope that clarifies it. – Pierre Aug 07 '20 at 15:59
  • If I have already signed an AAB, why do I have to sign APKs while executing bundletool build_apks (to deploy on a device)? I strictly do NOT want to distribute the keystore with an AAB (even among testers in our company)! – Programmer1234 Dec 08 '20 at 12:21
  • 1
    Signing the AAB only for the Play Console to identify you. Signing the APKs is for the Android platform. You should not distribute an AAB. For testing, you can distribute a universal APK, an APK Set (.apks) or a Play store link to a version of your app in a testing track. – Pierre Dec 08 '20 at 17:19
1

This is an example how Generate an Android App Bundle using Xamarin and Azure DevOps: https://damienaicheh.github.io/xamarin/azure/devops/2020/02/03/generate-android-app-bundle-xamarin-azure-devops-en.html

And this documentation about Xamarin.Android app-bundles https://github.com/xamarin/xamarin-android/blob/master/Documentation/guides/app-bundles.md Say that: "App Bundles can only be signed with jarsigner (not apksigner). App Bundles do not need to use zipalign. Xamarin.Android should go ahead and sign the .aab file the same as it currently does for .apk files. A com.company.app-Signed.aab file will be generated in $(OutputPath), to match our current behavior with APK files."

Dharman
  • 30,962
  • 25
  • 85
  • 135
Emerson Gonzalez
  • 144
  • 4