Hi all,
I’ve opted-in to use Google Play App Signing and I’ve just uploaded my Alpha APK to the Google Play Console using Corona’s Debug Keystore (still learning). I believe what this did was set Corona’s Debug Keystore as my Upload key.
I think this is a bad thing and I’m looking for a confirm from the community… Have I introduced a vulnerability? Do I need to recreate the entire application in Google Play Console?
Cheers.
Google should not let an app go live with a debug keystore. Google is changing to a two-keystore method of submitting apps. You have one submission keystore, then you have a signing keystore and Google Play re-signs your app.
We don’t have a lot of experience with this two-keystore setup, so I can’t confirm that’s why they let you get away with a debug keystore. I do know that once you choose the two keystore method, you have to use it with that app forever.
If you’re not too committed to your entry on Google Play, I would consider deleting it and restarting and go with known method of submission.
Rob
Thanks Rob.
Does the debug keystore sign apps with the same key for all Corona users?
Yes
Google should not let an app go live with a debug keystore. Google is changing to a two-keystore method of submitting apps. You have one submission keystore, then you have a signing keystore and Google Play re-signs your app.
We don’t have a lot of experience with this two-keystore setup, so I can’t confirm that’s why they let you get away with a debug keystore. I do know that once you choose the two keystore method, you have to use it with that app forever.
If you’re not too committed to your entry on Google Play, I would consider deleting it and restarting and go with known method of submission.
Rob
Thanks Rob.
Does the debug keystore sign apps with the same key for all Corona users?
Yes