My Google developer account holds now 5 different apps in it, 4 of them were created before the new Google App Signing was released, and they all 4 share the same certificate. When I created the last app I followed the steps to create a new key and now that one works “separatedly” from the rest of apps, with its own release key.
I’m wondering if I could use the same recently created release-key.jks that I’m using to sign the last app for the rest of applications.
Also in case I could, which of the three options that the App Signing page of the Google Play Console offers me should I choose to upload it?
- “You’ve exported your app signing key”
- “You haven’t exported your app signing key”
- “You don’t store your app signing key in a Java Keystore”
I’m a bit lost here and I don’t want to mess things up by not being able to release more updates in a future.
You should use the same key you signed it with for the first time
According to https://developer.android.com/studio/publish/app-signing#considerations
You should sign all of your APKs with the same certificate throughout
the expected lifespan of your apps. There are several reasons why you
should do so:
App upgrade: When the system is installing an update to an app, it
compares the certificate(s) in the new version with those in the
existing version. The system allows the update if the certificates
match. If you sign the new version with a different certificate, you
must assign a different package name to the app—in this case, the user
installs the new version as a completely new app. App modularity:
Android allows APKs signed by the same certificate to run in the same
process, if the apps so request, so that the system treats them as a
single app. In this way you can deploy your app in modules, and users
can update each of the modules independently. Code/data sharing
through permissions: Android provides signature-based permissions
enforcement, so that an app can expose functionality to another app
that is signed with a specified certificate. By signing multiple APKs
with the same certificate and using signature-based permissions
checks, your apps can share code and data in a secure manner. If you
plan to support upgrades for an app, ensure that your app signing key
has a validity period that exceeds the expected lifespan of that app.
A validity period of 25 years or more is recommended. When your key’s
validity period expires, users will no longer be able to seamlessly
upgrade to new versions of your app.
If you plan to publish your apps on Google Play, the key you use to
sign those APKs must have a validity period ending after 22 October
2033. Google Play enforces this requirement to ensure that users can seamlessly upgrade apps when new versions are available. If you use
Google Play App Signing, Google ensures your apps are correctly signed
and able to receive updates throughout their lifespans.