Skip to content

Commit 0e2487b

Browse files
committed
Merge remote-tracking branch 'origin/main' into codexd/456-android-release-smoke-test
# Conflicts: # docs/Home.md
2 parents d847e52 + 5db6b95 commit 0e2487b

12 files changed

Lines changed: 637 additions & 1 deletion
Lines changed: 85 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,85 @@
1+
# Android Developer Verification
2+
3+
Use this checklist to complete and record the Play Console developer
4+
verification and Android package-name registration status for OnTime.
5+
6+
This work requires Google Play Console access for the developer account that
7+
owns `club.devkor.ontime`. Do not paste government IDs, addresses, phone
8+
verification codes, payment profile details, keystores, private keys, or
9+
unredacted Play Console screenshots into git, issues, pull requests, or chat.
10+
11+
## Required Access
12+
13+
- Google Play Console access for the OnTime developer account.
14+
- Permission to view developer account verification status.
15+
- Permission to create or inspect the Play Console app for package
16+
`club.devkor.ontime`.
17+
- Access to the release signing owner if package registration requires the
18+
SHA-256 certificate fingerprint or a signed proof APK.
19+
20+
## Console Checks
21+
22+
1. Open Play Console for the OnTime developer account.
23+
2. Check the developer account verification banner, Home tasks, and account
24+
verification pages.
25+
3. Record whether identity verification is complete, pending, rejected, or not
26+
yet available for this account.
27+
4. Open or create the Play Console app whose package name is
28+
`club.devkor.ontime`.
29+
5. Check whether Google has automatically registered the package name for the
30+
verified Play developer identity.
31+
6. If manual package-name registration is required, register
32+
`club.devkor.ontime` with the release signing certificate SHA-256
33+
fingerprint.
34+
7. If Google requires proof for an existing package name, follow the Play
35+
Console ownership flow using a signed APK generated with the matching
36+
private signing key.
37+
8. Record any deadline, rejected field, blocked step, or Google support case.
38+
39+
Google's current package-name registration guidance says package registration
40+
is blocked until Android developer identity verification is complete, and that
41+
Google planned to try automatic registration for Play apps before the broader
42+
Android developer verification launch. Confirm the actual status in the OnTime
43+
Play Console account because rollout timing and account eligibility are
44+
account-specific.
45+
46+
Reference:
47+
48+
- Play Console Help: Registering Android package names -
49+
https://support.google.com/googleplay/android-developer/answer/16761053
50+
- Play Console Help: Verify your developer identity information -
51+
https://support.google.com/googleplay/android-developer/answer/10841920
52+
- Play Console Help: Create and set up your app -
53+
https://support.google.com/googleplay/android-developer/answer/9859152
54+
55+
## Status Record
56+
57+
Fill this section after checking Play Console. Keep sensitive identity and
58+
signing details in the secure account record, not in this repository.
59+
60+
```text
61+
Checked by:
62+
Checked date:
63+
Play Console account:
64+
Developer account type: personal / organization / other
65+
Developer identity verification status:
66+
Verification deadline:
67+
Package name: club.devkor.ontime
68+
Play Console app exists: yes / no
69+
Package auto-registered by Google: yes / no / not shown
70+
Manual package registration required: yes / no / unclear
71+
Signing certificate SHA-256 source: Play App Signing / upload key / local release key / not needed
72+
Package registration status:
73+
Google support case:
74+
Remaining follow-up:
75+
Evidence location:
76+
```
77+
78+
## Completion Criteria
79+
80+
- Developer identity verification status is known.
81+
- Package-name registration status for `club.devkor.ontime` is known.
82+
- Manual registration is completed if Play Console requires it.
83+
- Any follow-up deadline or Google support case is recorded in the secure
84+
release account record and summarized in the release issue without sensitive
85+
details.
Lines changed: 137 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,137 @@
1+
# Android Play Signing Fingerprints
2+
3+
Use this checklist to complete issue #454 after Play App Signing and the
4+
upload key decision are finalized for `club.devkor.ontime`.
5+
6+
Do not paste keystores, passwords, service-account JSON, or raw
7+
`google-services.json` contents into issues, pull requests, chat, or screenshots.
8+
Fingerprints are safe to record, but the evidence should still avoid exposing
9+
unrelated Play Console or Firebase project data.
10+
11+
## Preconditions
12+
13+
- #450 is complete: the upload keystore owner, storage process, and local or CI
14+
signing inputs are known.
15+
- #451 is complete: the release Firebase config source is known and validates
16+
package `club.devkor.ontime`.
17+
- Play App Signing is active or the release owner has confirmed the first-upload
18+
setup path in Play Console.
19+
- The release owner can access Google Play Console, Firebase console, and every
20+
auth provider console used by Android release sign-in.
21+
22+
## Values To Record
23+
24+
Record the following in the secure release record or issue status note:
25+
26+
| Field | Value |
27+
| --- | --- |
28+
| Package name | `club.devkor.ontime` |
29+
| Play App Signing status | Pending / Active |
30+
| Play app signing certificate SHA-1 | |
31+
| Play app signing certificate SHA-256 | |
32+
| Upload key certificate SHA-1 | |
33+
| Upload key certificate SHA-256 | |
34+
| Firebase project | `ontime-c63f1` |
35+
| Firebase Android app package | `club.devkor.ontime` |
36+
| Firebase fingerprints updated by | |
37+
| Firebase fingerprints updated at | |
38+
| Google Sign-In Android OAuth client checked | Yes / No / Not used |
39+
| Kakao Android key hash checked | Yes / No / Not used |
40+
| Backend allowlist checked, if any | Yes / No / Not used |
41+
| Updated release `google-services.json` secret required | Yes / No |
42+
43+
## Collect Play Console Fingerprints
44+
45+
1. Open Google Play Console for `club.devkor.ontime`.
46+
2. Go to **Test and release** > **Setup** > **App signing**. The same page is
47+
also linked from **Test and release** > **App integrity**.
48+
3. Confirm whether Play App Signing is active.
49+
4. Copy the app signing key certificate SHA-1 and SHA-256 fingerprints.
50+
5. Copy the upload key certificate SHA-1 and SHA-256 fingerprints.
51+
6. Confirm the upload key shown in Play Console matches the keystore used by
52+
local release signing or the `ANDROID_UPLOAD_KEYSTORE_B64` CI secret.
53+
54+
If the first upload has not happened yet, stop here and record that #454 is
55+
waiting on the initial signed AAB upload and Play App Signing enrollment.
56+
57+
## Cross-Check The Upload Keystore
58+
59+
The release owner can verify the local upload key without exposing the keystore:
60+
61+
```sh
62+
keytool -list -v \
63+
-keystore /absolute/path/to/ontime-upload.jks \
64+
-alias <upload-key-alias>
65+
```
66+
67+
Compare the SHA-1 and SHA-256 output with the Play Console upload key
68+
certificate. If they differ, do not upload a release until the release owner
69+
confirms whether Play Console needs an upload-key reset or CI/local signing is
70+
using the wrong keystore.
71+
72+
## Update Firebase
73+
74+
1. Open Firebase console for project `ontime-c63f1`.
75+
2. Open **Project settings** > **General** > Android app
76+
`club.devkor.ontime`.
77+
3. Add the Play app signing certificate SHA-1 and SHA-256 fingerprints.
78+
4. Add the upload key certificate SHA-1 and SHA-256 fingerprints if the team
79+
uses locally installed release APKs, direct App Distribution builds, or any
80+
provider flow that validates the upload-key-signed artifact before Play
81+
re-signing.
82+
5. Check whether Firebase generated an updated `google-services.json`.
83+
6. If the file changed, update only the secure
84+
`ANDROID_GOOGLE_SERVICES_JSON_B64` secret and validate the decoded file with:
85+
86+
```sh
87+
cd android
88+
gradle :app:validateAndroidGoogleServices
89+
```
90+
91+
Do not commit `google-services.json`.
92+
93+
## Update Auth Provider Consoles
94+
95+
Check every Android release auth provider used by the app:
96+
97+
- Google Sign-In: confirm the Android OAuth client uses package
98+
`club.devkor.ontime` and the Play app signing SHA-1. If separate debug,
99+
upload-key, or internal-testing clients are required, record why.
100+
- Kakao: confirm the Android platform entry uses package `club.devkor.ontime`
101+
and the release key hash derived from the finalized signing certificate.
102+
- Backend OAuth settings: if the backend validates Android package or
103+
certificate fingerprints, confirm its allowlist matches the finalized release
104+
values.
105+
106+
## Completion Evidence
107+
108+
Paste a status note using this template:
109+
110+
```md
111+
## #454 Play Signing Fingerprint Status
112+
113+
- Play App Signing status:
114+
- Package: `club.devkor.ontime`
115+
- Play app signing SHA-1:
116+
- Play app signing SHA-256:
117+
- Upload key SHA-1:
118+
- Upload key SHA-256:
119+
- Firebase Android app updated: yes/no
120+
- `ANDROID_GOOGLE_SERVICES_JSON_B64` rotated: yes/no/not needed
121+
- Google Sign-In checked: yes/no/not used
122+
- Kakao checked: yes/no/not used
123+
- Backend allowlist checked: yes/no/not used
124+
- Verified by:
125+
- Verified date:
126+
- Remaining blockers:
127+
```
128+
129+
Issue #454 is complete only when the fingerprints are recorded, Firebase has
130+
the required release fingerprints, and the provider settings are checked against
131+
the release package and final certificate values.
132+
133+
## References
134+
135+
- Google Play Console Help: <https://support.google.com/googleplay/android-developer/answer/9842756>
136+
- Firebase Management API SHA certificates: <https://firebase.google.com/docs/reference/firebase-management/rest/v1beta1/projects.androidApps.sha>
137+
- Kakao Developers app settings: <https://developers.kakao.com/docs/en/app-setting/app>

docs/Android-Release-Configuration.md

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -86,7 +86,11 @@ The task fails if the file is missing, invalid JSON, or missing a `client_info.a
8686

8787
## Auth Fingerprints
8888

89-
Release SHA-1 and SHA-256 fingerprints must be added to Firebase after the release signing owner, upload key, and Play App Signing setup are finalized. Track that work in #454; do not rotate or replace `ANDROID_GOOGLE_SERVICES_JSON_B64` for fingerprint changes until the release owner confirms the final signing fingerprints.
89+
Release SHA-1 and SHA-256 fingerprints must be added to Firebase after the
90+
release signing owner, upload key, and Play App Signing setup are finalized.
91+
Use `docs/Android-Play-Signing-Fingerprints.md` for the #454 checklist. Do not
92+
rotate or replace `ANDROID_GOOGLE_SERVICES_JSON_B64` for fingerprint changes
93+
until the release owner confirms the final signing fingerprints.
9094

9195
## Verification
9296

docs/Android-Signing-Setup.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -131,6 +131,8 @@ builds do not require release signing secrets.
131131
5. Upload the `.aab` from `build/app/outputs/bundle/release/`.
132132
6. After Play App Signing is active, continue signing future uploads with the
133133
same local upload key.
134+
7. Record the Play app signing and upload key SHA-1/SHA-256 fingerprints using
135+
`docs/Android-Play-Signing-Fingerprints.md`.
134136

135137
## Existing Play Console App
136138

0 commit comments

Comments
 (0)