Google API 调试和发布密钥之间的区别

Question

I suppose this question has been answered a lot but I can't find any understandable answer.

I'm currently developing an Android App that uses Google Maps API. I managed to make it work for some time but I never truly understand how to correctly use the Debug and Release keys.

I don't know how to get the SHA-1 debug and release certificates for my app through Android Studio.

On the Playstore console, I can get the SHA-1 release certificate (see picture below) but I don't know how to get it before publishing my app on the store. And that's a problem because when I need to publish my app for the first time, I don'thave this certificate and the map can't work. I have to publish my app with a broken map and then retrieve the SHA-1 certificate through the Play Store console.

Moreover, I don't know how to add a debug and release key in my Android Studio project. On the Android view, in the res folder, I have a google_maps_api.xml with a debug tag (see picture below). But how can I add one for release ? Is it the same key ? In that case, why is there a debug tag here ?

Thanks for any tip and explanation you can give me!

Answer 1

Based on the Google Maps Places SDK for Android Documentation

A debug certificate : The Android SDK tools generate this certificate automatically when you do a debug build. Only use this certificate with apps that you're testing. Do not attempt to publish an app that's signed with a debug certificate. The debug certificate is described in more detail in Signing in Debug Mode in the Android Developer Documentation.

A release certificate :The Android SDK tools generate this certificate when you do a release build. You can also generate this certificate using the keytool program. Use this certificate when you are ready to release your app to the world.

Now to get your Release certificate, follow the steps below:

1. Locate your release certificate keystore file. There is no default location or name for the release keystore. If you don't specify one when you build your app for release, the build will leave your .apk unsigned, and you'll have to sign it before you can publish it. For the release certificate, you also need the certificate's alias and the passwords for the keystore and the certificate. You can list the aliases for all the keys in a keystore by entering:

    keytool -list -keystore your_keystore_name

Replace your_keystore_name with the fully-qualified path and name of the keystore, including the .keystore extension. You'll be prompted for the keystore's password. Then keytool displays all the aliases in the keystore.

2. Enter the following at a terminal or command prompt:

    keytool -list -v -keystore your_keystore_name -alias your_alias_name

Replace your_keystore_name with the fully-qualified path and name of the keystore, including the .keystore extension. Replace your_alias_name with the alias that you assigned to the certificate when you created it.

You should see output similar to this:

Alias name: <alias_name>
Creation date: Feb 02, 2013
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Android Debug, O=Android, C=US
Issuer: CN=Android Debug, O=Android, C=US
Serial number: 4cc9b300
Valid from: Mon Feb 02 08:01:04 UTC 2013 until: Mon Feb 02 18:05:04 PST 2033
Certificate fingerprints:
    MD5:  AE:9F:95:D0:A6:86:89:BC:A8:70:BA:34:FF:6B:AC:F9
    SHA1: BB:0D:AC:74:D3:21:E1:43:67:71:9B:62:90:AF:A1:66:6E:44:5D:75
    Signature algorithm name: SHA1withRSA
    Version: 3

The line that begins SHA1 contains the certificate's SHA-1 fingerprint. The fingerprint is the sequence of 20 two-digit hexadecimal numbers separated by colons.

This certificate will be the one that you will include in your API key restriction in your GCP(Google Cloud Platform) Console.

Please also note that this can be found in the documentation mentioned above.

Answer 2

Sorry, my answer is not formatted properly. Remember the goal is not the names debug or release but to add a layer of security through encryption with private and public keys.

There are many formats in the security encryption world so in this context the formats used are from OpenSSL and Java.

Basically, you sign packages with a JKS java key store that contains the certificate and private/public keys.

To generate the keys follow https://source.android.com/devices/tech/ota/sign_builds#certificates-keys

The Keys will be generated using the OpenSSL framework and will come in formats .pk8 for the private key and x509.pem for the public certificate. You will get a bunch of keys: releasekey, shared, media and platform. The names don't really matter much. What matter is the $subject that you generate for your keys.

Once you have the keys based on the android docs you must convert them to PK12 which is the compatible format of the JKS. openssl pkcs12 -export -in platform.x509.pem -inkey /dev/stdin -name platform-debug -password pass:AStrongP4ssword -out tmp.p12

Finally, you can create you JKS that contains the PK12 formats.

keytool -genkey -keystore platform-debug.jks

# Import created JKS
keytool -importkeystore -deststorepass 'AStrongP4ssword' -srckeystore tmp.p12 -srcstoretype PKCS12 -srcstorepass 'AStrongP4ssword' -destkeystore release.jks -destkeypass 'AStrongP4ssword'