Frequently Asked Audit Questions

I’m sure many developers have encountered application approval rejection due to signature issues, such as:

  1. The new version and the in-store version have inconsistent signatures

  2. Account login, payment prompt signature, and platform configuration are inconsistent

  3. HMS related services such as PUSH failed to be integrated, and the map cannot be loaded because the fingerprint of the certificate does not match

  4. After the application is put on the shelf, the application from different channels cannot be updated, prompting inconsistent signatures

, etc.

And you must have a question, it is clear that the signature is consistent, but there is no problem in the local test, why is it rejected as soon as it is reviewed by Huawei?? If you encounter any of the preceding problems, the application signature service of Huawei AGC may re-sign your application.

What is application signing?

To solve these problems, we need to know what is application signature?

There is a lot of information on the Internet, but remember the following two points:

  1. Signature is very important, the app must have a signature, without a signature will not be allowed to launch.

  2. The signature cannot be changed. Once it is changed, a lot of things will be messed up. The fingerprint of the certificate will change, the authentication will change, the application will not be updated, etc. Many services that rely on signatures are unavailable anyway.

Therefore, most developers will use Android Studio or command to sign the application when developing the application.

What is AGC application Signing Service?

What does the AGC application signature service do? AGC provides another way to sign your application!

There are two ways:

The first is that the AGC completely generates a new signature for your application. Signatures are bound to change and are unique in the universe.

The interface is called “Let AG Connect Create and manage my application signing key”.

Why only new applications? As mentioned earlier, this method will generate a new signature for you. If you already have a live application, it is impossible to generate the same signature as the live application using this method, so of course it will not work.

The AGC will not generate a new signature for you. The AGC will only use the uploaded signature file to sign your application. As for what the new signature is, depending on what you upload, the AGC is just keeping it. The corresponding interface is called export and Upload keys and certificates.

This means that you use a tool or command to export your signature as a zip package signature file and then upload it to the AGC, which uses this signature file to sign your application. So if you have a live app, make sure you upload the same signature file as the live app, otherwise your app will end up with a different signature.

It is worth noting that this method already supports the verification capability, if the passed signature is different from the version in the shelf, it will prompt, and does not allow upload.

For example, if you have an app that you have signed locally with Android Studio, let’s say the app’s signature is A, and you use AGC’s app signature service. If you choose the first option, AGC will generate A new signature B, which will be changed to B when your app is approved for launch and finally released. So it’s very likely that you’re signing A to test locally, and signing B to approve your application.

If you choose the second option, you need to upload A signature zip file. If the ZIP file is generated by signature A, your application will be approved and released with signature A. If B generates it, the signature is B; It’s generated by C. The signature is C. Whatever you post is your signature.

How to choose?

So partners must not choose the wrong, also do not pass the wrong. So how do you choose? It’s actually quite simple.

Generally speaking, new apps that are only considered for Huawei should choose the first method; If you’re listing on multiple channels, choose the second option and upload the same signature file as any other store. If some services, such as authentication payments, rely on signatures, choose the second option.

If the app is already on the shelf, you can only choose the second option, as long as you upload the same signature file as the existing version.

At this point, back to the original problem, we know that the application signature was probably changed because of the wrong signature method or the wrong signature file. Unfortunately, once the signature service is used, it does not support deletion. The current solution is to delete the signature by deleting the application, then create the application, select the correct signature mode, and upload the correct signature file.

An aside:

  1. Application signature ≠ Application signature Service; Signing is required, and applying the signing service is optional.

  2. The APK package can use the application signature service, but the AAB package must use the application signature service.

  3. If the signature is changed, the corresponding certificate fingerprint will also be changed. You need to configure a new certificate fingerprint for the dependent service.

For more details, see:

AGC application signature service: developer.huawei.com/consumer/cn…

The original link: developer.huawei.com/consumer/cn… Author: Chao Youting, Drum Tower