Skip to content

Commit 08e5b8a

Browse files
authored
docs: add Play signing fingerprint checklist (#454) (#490)
1 parent 5a1b8e1 commit 08e5b8a

5 files changed

Lines changed: 188 additions & 1 deletion
Lines changed: 137 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,137 @@
1+
# Android Play Signing Fingerprints
2+
3+
Use this checklist to complete issue #454 after Play App Signing and the
4+
upload key decision are finalized for `club.devkor.ontime`.
5+
6+
Do not paste keystores, passwords, service-account JSON, or raw
7+
`google-services.json` contents into issues, pull requests, chat, or screenshots.
8+
Fingerprints are safe to record, but the evidence should still avoid exposing
9+
unrelated Play Console or Firebase project data.
10+
11+
## Preconditions
12+
13+
- #450 is complete: the upload keystore owner, storage process, and local or CI
14+
signing inputs are known.
15+
- #451 is complete: the release Firebase config source is known and validates
16+
package `club.devkor.ontime`.
17+
- Play App Signing is active or the release owner has confirmed the first-upload
18+
setup path in Play Console.
19+
- The release owner can access Google Play Console, Firebase console, and every
20+
auth provider console used by Android release sign-in.
21+
22+
## Values To Record
23+
24+
Record the following in the secure release record or issue status note:
25+
26+
| Field | Value |
27+
| --- | --- |
28+
| Package name | `club.devkor.ontime` |
29+
| Play App Signing status | Pending / Active |
30+
| Play app signing certificate SHA-1 | |
31+
| Play app signing certificate SHA-256 | |
32+
| Upload key certificate SHA-1 | |
33+
| Upload key certificate SHA-256 | |
34+
| Firebase project | `ontime-c63f1` |
35+
| Firebase Android app package | `club.devkor.ontime` |
36+
| Firebase fingerprints updated by | |
37+
| Firebase fingerprints updated at | |
38+
| Google Sign-In Android OAuth client checked | Yes / No / Not used |
39+
| Kakao Android key hash checked | Yes / No / Not used |
40+
| Backend allowlist checked, if any | Yes / No / Not used |
41+
| Updated release `google-services.json` secret required | Yes / No |
42+
43+
## Collect Play Console Fingerprints
44+
45+
1. Open Google Play Console for `club.devkor.ontime`.
46+
2. Go to **Test and release** > **Setup** > **App signing**. The same page is
47+
also linked from **Test and release** > **App integrity**.
48+
3. Confirm whether Play App Signing is active.
49+
4. Copy the app signing key certificate SHA-1 and SHA-256 fingerprints.
50+
5. Copy the upload key certificate SHA-1 and SHA-256 fingerprints.
51+
6. Confirm the upload key shown in Play Console matches the keystore used by
52+
local release signing or the `ANDROID_UPLOAD_KEYSTORE_B64` CI secret.
53+
54+
If the first upload has not happened yet, stop here and record that #454 is
55+
waiting on the initial signed AAB upload and Play App Signing enrollment.
56+
57+
## Cross-Check The Upload Keystore
58+
59+
The release owner can verify the local upload key without exposing the keystore:
60+
61+
```sh
62+
keytool -list -v \
63+
-keystore /absolute/path/to/ontime-upload.jks \
64+
-alias <upload-key-alias>
65+
```
66+
67+
Compare the SHA-1 and SHA-256 output with the Play Console upload key
68+
certificate. If they differ, do not upload a release until the release owner
69+
confirms whether Play Console needs an upload-key reset or CI/local signing is
70+
using the wrong keystore.
71+
72+
## Update Firebase
73+
74+
1. Open Firebase console for project `ontime-c63f1`.
75+
2. Open **Project settings** > **General** > Android app
76+
`club.devkor.ontime`.
77+
3. Add the Play app signing certificate SHA-1 and SHA-256 fingerprints.
78+
4. Add the upload key certificate SHA-1 and SHA-256 fingerprints if the team
79+
uses locally installed release APKs, direct App Distribution builds, or any
80+
provider flow that validates the upload-key-signed artifact before Play
81+
re-signing.
82+
5. Check whether Firebase generated an updated `google-services.json`.
83+
6. If the file changed, update only the secure
84+
`ANDROID_GOOGLE_SERVICES_JSON_B64` secret and validate the decoded file with:
85+
86+
```sh
87+
cd android
88+
gradle :app:validateAndroidGoogleServices
89+
```
90+
91+
Do not commit `google-services.json`.
92+
93+
## Update Auth Provider Consoles
94+
95+
Check every Android release auth provider used by the app:
96+
97+
- Google Sign-In: confirm the Android OAuth client uses package
98+
`club.devkor.ontime` and the Play app signing SHA-1. If separate debug,
99+
upload-key, or internal-testing clients are required, record why.
100+
- Kakao: confirm the Android platform entry uses package `club.devkor.ontime`
101+
and the release key hash derived from the finalized signing certificate.
102+
- Backend OAuth settings: if the backend validates Android package or
103+
certificate fingerprints, confirm its allowlist matches the finalized release
104+
values.
105+
106+
## Completion Evidence
107+
108+
Paste a status note using this template:
109+
110+
```md
111+
## #454 Play Signing Fingerprint Status
112+
113+
- Play App Signing status:
114+
- Package: `club.devkor.ontime`
115+
- Play app signing SHA-1:
116+
- Play app signing SHA-256:
117+
- Upload key SHA-1:
118+
- Upload key SHA-256:
119+
- Firebase Android app updated: yes/no
120+
- `ANDROID_GOOGLE_SERVICES_JSON_B64` rotated: yes/no/not needed
121+
- Google Sign-In checked: yes/no/not used
122+
- Kakao checked: yes/no/not used
123+
- Backend allowlist checked: yes/no/not used
124+
- Verified by:
125+
- Verified date:
126+
- Remaining blockers:
127+
```
128+
129+
Issue #454 is complete only when the fingerprints are recorded, Firebase has
130+
the required release fingerprints, and the provider settings are checked against
131+
the release package and final certificate values.
132+
133+
## References
134+
135+
- Google Play Console Help: <https://support.google.com/googleplay/android-developer/answer/9842756>
136+
- Firebase Management API SHA certificates: <https://firebase.google.com/docs/reference/firebase-management/rest/v1beta1/projects.androidApps.sha>
137+
- Kakao Developers app settings: <https://developers.kakao.com/docs/en/app-setting/app>

docs/Android-Release-Configuration.md

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -86,7 +86,11 @@ The task fails if the file is missing, invalid JSON, or missing a `client_info.a
8686

8787
## Auth Fingerprints
8888

89-
Release SHA-1 and SHA-256 fingerprints must be added to Firebase after the release signing owner, upload key, and Play App Signing setup are finalized. Track that work in #454; do not rotate or replace `ANDROID_GOOGLE_SERVICES_JSON_B64` for fingerprint changes until the release owner confirms the final signing fingerprints.
89+
Release SHA-1 and SHA-256 fingerprints must be added to Firebase after the
90+
release signing owner, upload key, and Play App Signing setup are finalized.
91+
Use `docs/Android-Play-Signing-Fingerprints.md` for the #454 checklist. Do not
92+
rotate or replace `ANDROID_GOOGLE_SERVICES_JSON_B64` for fingerprint changes
93+
until the release owner confirms the final signing fingerprints.
9094

9195
## Verification
9296

docs/Android-Signing-Setup.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -131,6 +131,8 @@ builds do not require release signing secrets.
131131
5. Upload the `.aab` from `build/app/outputs/bundle/release/`.
132132
6. After Play App Signing is active, continue signing future uploads with the
133133
same local upload key.
134+
7. Record the Play app signing and upload key SHA-1/SHA-256 fingerprints using
135+
`docs/Android-Play-Signing-Fingerprints.md`.
134136

135137
## Existing Play Console App
136138

docs/Home.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@ Welcome to the OnTime-front project documentation! This wiki contains everything
1111
- [Release Checklist](./Release-Checklist.md) - Reusable release gates,
1212
verification commands, store checks, and rollout handoff
1313
- [Android Release Signing](./Android-Release-Signing.md) - Required keystore inputs and release signing validation
14+
- [Android Play Signing Fingerprints](./Android-Play-Signing-Fingerprints.md) - Play App Signing, Firebase, and auth-provider fingerprint checklist
1415
- [Android Release Configuration](./Android-Release-Configuration.md) - Firebase config, signed AAB workflow, and Play internal deploy setup
1516
- [iOS Release Configuration](./iOS-Release-Configuration.md) - Required Dart defines and archive validation
1617
- [Privacy Policy Hosting](./Privacy-Policy-Hosting.md) - Public HTTPS privacy policy hosting checklist and evidence form
Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,43 @@
1+
# Issue 454 Play Signing Fingerprints Plan
2+
3+
Parent track: #467
4+
Sub-issue: #454 - Verify Play App Signing and certificate fingerprints
5+
6+
## Current Status
7+
8+
#454 is externally blocked. The repo can prepare the release-owner checklist,
9+
but Codex cannot complete the acceptance criteria without Play Console,
10+
Firebase console, provider console access, and the finalized Play App Signing
11+
state.
12+
13+
## Blockers
14+
15+
- Play App Signing must be active or the first-upload setup path must be
16+
confirmed in Play Console.
17+
- The release owner must confirm the upload key used by local and CI signing.
18+
- Firebase console access is required to add release SHA-1 and SHA-256
19+
fingerprints to the Android app for `club.devkor.ontime`.
20+
- Google Sign-In, Kakao, and any backend allowlists require owner access to
21+
verify release package and fingerprint settings.
22+
23+
## Repo-Side Work
24+
25+
- Add a secret-free checklist for collecting Play app signing and upload key
26+
certificate fingerprints.
27+
- Include an evidence template that can be pasted into the issue or secure
28+
release record.
29+
- Link the checklist from existing Android release configuration and signing
30+
docs.
31+
32+
## Verification
33+
34+
- `git diff --check`
35+
- `rg -n "Android Play Signing Fingerprints|Play app signing|SHA-256|#454" docs plans`
36+
37+
## Explicitly Left Out
38+
39+
- Recording real fingerprints before Play Console setup is complete.
40+
- Updating Firebase or provider console settings without account access.
41+
- Creating or exposing keystores, passwords, service-account JSON, or
42+
`google-services.json`.
43+
- Claiming #454 is complete before the release owner records the final values.

0 commit comments

Comments
 (0)