|
| 1 | +# Android Play Signing Fingerprints |
| 2 | + |
| 3 | +Use this checklist to complete issue #454 after Play App Signing and the |
| 4 | +upload key decision are finalized for `club.devkor.ontime`. |
| 5 | + |
| 6 | +Do not paste keystores, passwords, service-account JSON, or raw |
| 7 | +`google-services.json` contents into issues, pull requests, chat, or screenshots. |
| 8 | +Fingerprints are safe to record, but the evidence should still avoid exposing |
| 9 | +unrelated Play Console or Firebase project data. |
| 10 | + |
| 11 | +## Preconditions |
| 12 | + |
| 13 | +- #450 is complete: the upload keystore owner, storage process, and local or CI |
| 14 | + signing inputs are known. |
| 15 | +- #451 is complete: the release Firebase config source is known and validates |
| 16 | + package `club.devkor.ontime`. |
| 17 | +- Play App Signing is active or the release owner has confirmed the first-upload |
| 18 | + setup path in Play Console. |
| 19 | +- The release owner can access Google Play Console, Firebase console, and every |
| 20 | + auth provider console used by Android release sign-in. |
| 21 | + |
| 22 | +## Values To Record |
| 23 | + |
| 24 | +Record the following in the secure release record or issue status note: |
| 25 | + |
| 26 | +| Field | Value | |
| 27 | +| --- | --- | |
| 28 | +| Package name | `club.devkor.ontime` | |
| 29 | +| Play App Signing status | Pending / Active | |
| 30 | +| Play app signing certificate SHA-1 | | |
| 31 | +| Play app signing certificate SHA-256 | | |
| 32 | +| Upload key certificate SHA-1 | | |
| 33 | +| Upload key certificate SHA-256 | | |
| 34 | +| Firebase project | `ontime-c63f1` | |
| 35 | +| Firebase Android app package | `club.devkor.ontime` | |
| 36 | +| Firebase fingerprints updated by | | |
| 37 | +| Firebase fingerprints updated at | | |
| 38 | +| Google Sign-In Android OAuth client checked | Yes / No / Not used | |
| 39 | +| Kakao Android key hash checked | Yes / No / Not used | |
| 40 | +| Backend allowlist checked, if any | Yes / No / Not used | |
| 41 | +| Updated release `google-services.json` secret required | Yes / No | |
| 42 | + |
| 43 | +## Collect Play Console Fingerprints |
| 44 | + |
| 45 | +1. Open Google Play Console for `club.devkor.ontime`. |
| 46 | +2. Go to **Test and release** > **Setup** > **App signing**. The same page is |
| 47 | + also linked from **Test and release** > **App integrity**. |
| 48 | +3. Confirm whether Play App Signing is active. |
| 49 | +4. Copy the app signing key certificate SHA-1 and SHA-256 fingerprints. |
| 50 | +5. Copy the upload key certificate SHA-1 and SHA-256 fingerprints. |
| 51 | +6. Confirm the upload key shown in Play Console matches the keystore used by |
| 52 | + local release signing or the `ANDROID_UPLOAD_KEYSTORE_B64` CI secret. |
| 53 | + |
| 54 | +If the first upload has not happened yet, stop here and record that #454 is |
| 55 | +waiting on the initial signed AAB upload and Play App Signing enrollment. |
| 56 | + |
| 57 | +## Cross-Check The Upload Keystore |
| 58 | + |
| 59 | +The release owner can verify the local upload key without exposing the keystore: |
| 60 | + |
| 61 | +```sh |
| 62 | +keytool -list -v \ |
| 63 | + -keystore /absolute/path/to/ontime-upload.jks \ |
| 64 | + -alias <upload-key-alias> |
| 65 | +``` |
| 66 | + |
| 67 | +Compare the SHA-1 and SHA-256 output with the Play Console upload key |
| 68 | +certificate. If they differ, do not upload a release until the release owner |
| 69 | +confirms whether Play Console needs an upload-key reset or CI/local signing is |
| 70 | +using the wrong keystore. |
| 71 | + |
| 72 | +## Update Firebase |
| 73 | + |
| 74 | +1. Open Firebase console for project `ontime-c63f1`. |
| 75 | +2. Open **Project settings** > **General** > Android app |
| 76 | + `club.devkor.ontime`. |
| 77 | +3. Add the Play app signing certificate SHA-1 and SHA-256 fingerprints. |
| 78 | +4. Add the upload key certificate SHA-1 and SHA-256 fingerprints if the team |
| 79 | + uses locally installed release APKs, direct App Distribution builds, or any |
| 80 | + provider flow that validates the upload-key-signed artifact before Play |
| 81 | + re-signing. |
| 82 | +5. Check whether Firebase generated an updated `google-services.json`. |
| 83 | +6. If the file changed, update only the secure |
| 84 | + `ANDROID_GOOGLE_SERVICES_JSON_B64` secret and validate the decoded file with: |
| 85 | + |
| 86 | +```sh |
| 87 | +cd android |
| 88 | +gradle :app:validateAndroidGoogleServices |
| 89 | +``` |
| 90 | + |
| 91 | +Do not commit `google-services.json`. |
| 92 | + |
| 93 | +## Update Auth Provider Consoles |
| 94 | + |
| 95 | +Check every Android release auth provider used by the app: |
| 96 | + |
| 97 | +- Google Sign-In: confirm the Android OAuth client uses package |
| 98 | + `club.devkor.ontime` and the Play app signing SHA-1. If separate debug, |
| 99 | + upload-key, or internal-testing clients are required, record why. |
| 100 | +- Kakao: confirm the Android platform entry uses package `club.devkor.ontime` |
| 101 | + and the release key hash derived from the finalized signing certificate. |
| 102 | +- Backend OAuth settings: if the backend validates Android package or |
| 103 | + certificate fingerprints, confirm its allowlist matches the finalized release |
| 104 | + values. |
| 105 | + |
| 106 | +## Completion Evidence |
| 107 | + |
| 108 | +Paste a status note using this template: |
| 109 | + |
| 110 | +```md |
| 111 | +## #454 Play Signing Fingerprint Status |
| 112 | + |
| 113 | +- Play App Signing status: |
| 114 | +- Package: `club.devkor.ontime` |
| 115 | +- Play app signing SHA-1: |
| 116 | +- Play app signing SHA-256: |
| 117 | +- Upload key SHA-1: |
| 118 | +- Upload key SHA-256: |
| 119 | +- Firebase Android app updated: yes/no |
| 120 | +- `ANDROID_GOOGLE_SERVICES_JSON_B64` rotated: yes/no/not needed |
| 121 | +- Google Sign-In checked: yes/no/not used |
| 122 | +- Kakao checked: yes/no/not used |
| 123 | +- Backend allowlist checked: yes/no/not used |
| 124 | +- Verified by: |
| 125 | +- Verified date: |
| 126 | +- Remaining blockers: |
| 127 | +``` |
| 128 | + |
| 129 | +Issue #454 is complete only when the fingerprints are recorded, Firebase has |
| 130 | +the required release fingerprints, and the provider settings are checked against |
| 131 | +the release package and final certificate values. |
| 132 | + |
| 133 | +## References |
| 134 | + |
| 135 | +- Google Play Console Help: <https://support.google.com/googleplay/android-developer/answer/9842756> |
| 136 | +- Firebase Management API SHA certificates: <https://firebase.google.com/docs/reference/firebase-management/rest/v1beta1/projects.androidApps.sha> |
| 137 | +- Kakao Developers app settings: <https://developers.kakao.com/docs/en/app-setting/app> |
0 commit comments