Setting up Android application signing (Keystore, Signing Config)

Android Application Signing Setup (Keystore, Signing Config)

Losing keystore is irreversible. If private key is lost, updating existing app on Google Play is impossible. Must publish new application with new package name, losing all reviews, download history, and rankings. This is not an exaggeration—exactly how stories with keystore "that only existed on one developer's laptop" end.

Keystore Creation and Storage

Generation via keytool:

keytool -genkeypair -v \
  -keystore release.keystore \
  -alias myapp \
  -keyalg RSA \
  -keysize 2048 \
  -validity 10000 \
  -storetype JKS

-validity 10000—approximately 27 years. Google recommends minimum 25 years for Play Store apps. Shorter period—Google Play will refuse updates later.

Keystore cannot be stored in git repository. Ever. Even private. Storage rules: encrypted backup in cloud storage (minimum two), physical copy off-site, passwords—separate from file.

Signing Config Configuration in Gradle

Direct path and password in build.gradle—antipattern:

// DON'T DO THIS—passwords in repo
signingConfigs {
    release {
        storeFile file("../keys/release.keystore")
        storePassword "mysecretpassword"  // will leak to git
        keyAlias "myapp"
        keyPassword "mysecretpassword"
    }
}

Correct approach—via environment variables or local.properties:

// build.gradle (app)
def keystoreProperties = new Properties()
def keystorePropertiesFile = rootProject.file('keystore.properties')
if (keystorePropertiesFile.exists()) {
    keystoreProperties.load(new FileInputStream(keystorePropertiesFile))
}

android {
    signingConfigs {
        release {
            keyAlias keystoreProperties['keyAlias'] ?: System.getenv('KEY_ALIAS')
            keyPassword keystoreProperties['keyPassword'] ?: System.getenv('KEY_PASSWORD')
            storeFile keystoreProperties['storeFile'] ?
                file(keystoreProperties['storeFile']) : null
            storePassword keystoreProperties['storePassword'] ?: System.getenv('STORE_PASSWORD')
        }
    }
    buildTypes {
        release {
            signingConfig signingConfigs.release
            minifyEnabled true
            proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
        }
    }
}

keystore.properties in .gitignore. On CI pass environment variables directly.

Kotlin DSL Variant

// build.gradle.kts
val keystoreProperties = Properties()
val keystoreFile = rootProject.file("keystore.properties")
if (keystoreFile.exists()) {
    keystoreProperties.load(keystoreFile.inputStream())
}

android {
    signingConfigs {
        create("release") {
            keyAlias = keystoreProperties.getProperty("keyAlias")
                ?: System.getenv("KEY_ALIAS")
            keyPassword = keystoreProperties.getProperty("keyPassword")
                ?: System.getenv("KEY_PASSWORD")
            storeFile = keystoreProperties.getProperty("storeFile")?.let { file(it) }
            storePassword = keystoreProperties.getProperty("storePassword")
                ?: System.getenv("STORE_PASSWORD")
        }
    }
}

Play App Signing

Google offers Play App Signing—your upload key signs APK/AAB on upload, Google repackages with separate app signing key. Insurance: if upload key lost, Google can rotate it. Yet app signing key fingerprint for SHA-256 (needed for Firebase, OAuth, deeplinks) comes from app signing key, not upload key—people confuse this regularly.

Enable Play App Signing: Play Console → Release → Setup → App signing. Cannot disable after.

# Check current keystore fingerprint
keytool -list -v -keystore release.keystore -alias myapp
# In Play Console: Setup → App signing → App signing key certificate—compare SHA-256

CI/CD Integration

On GitHub Actions:

- name: Sign APK
  env:
    KEYSTORE_BASE64: ${{ secrets.KEYSTORE_BASE64 }}
    KEY_ALIAS: ${{ secrets.KEY_ALIAS }}
    KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}
    STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
  run: |
    echo "$KEYSTORE_BASE64" | base64 --decode > release.keystore
    ./gradlew bundleRelease \
      -Pandroid.injected.signing.store.file=$(pwd)/release.keystore \
      -Pandroid.injected.signing.store.password=$STORE_PASSWORD \
      -Pandroid.injected.signing.key.alias=$KEY_ALIAS \
      -Pandroid.injected.signing.key.password=$KEY_PASSWORD

Encode keystore in base64 (base64 release.keystore) and save in repo secrets. On agent decode to file, use, delete.

Workflow

Generate production keystore with correct validity, secure storage.

Configure Signing Config in Gradle via environment variables, no passwords in code.

Optional: enable Play App Signing, get new fingerprint for Firebase/OAuth.

Configure CI/CD pipeline with secrets, test release APK/AAB build.

Timeline

Signing Config and CI/CD setup for one flavor—2–4 hours. Multiple flavor configs and Play App Signing integration—1 day.