跳转到内容
Capgo

Android Certificates Setup

此内容尚不支持你的语言。

Complete guide to creating the Android signing keystore and Google Play service account required for building and publishing Android apps with Capgo Cloud Build.

Overview

Section titled “Overview”

To build and publish Android apps, you need:

  1. Signing Keystore (.keystore or .jks file) - Signs your app for release
  2. Google Play Service Account (.json file) - For automatic Play Store uploads

What You'll Create

  • Android Keystore file (.keystore or .jks)
  • Google Play Service Account JSON

Requirements

  • Java JDK installed (for keytool)
  • Google Play Console account
  • App already registered in Play Console

Part 1: Create a Signing Keystore

Section titled “Part 1: Create a Signing Keystore”

The keystore contains your private key used to sign your Android app. Every update to your app on the Play Store must be signed with the same key.

Section titled “Using keytool (Recommended)”

The keytool command is included with Java JDK. Open your terminal:

Terminal window
keytool -genkey -v \
  -keystore my-release-key.keystore \
  -alias my-key-alias \
  -keyalg RSA \
  -keysize 2048 \
  -validity 10000

You’ll be prompted for:

PromptDescriptionExample
Keystore passwordPassword to open the keystore fileMySecurePassword123!
Key passwordPassword for this specific key (can be same as keystore)MySecurePassword123!
First and last nameYour name or company nameJohn Doe
Organizational unitDepartment (optional)Mobile Development
OrganizationCompany nameMy Company Inc.
CityYour citySan Francisco
StateYour state/provinceCalifornia
Country codeTwo-letter country codeUS

After completing the prompts, you’ll have a my-release-key.keystore file.

Understanding Keystore Components

Section titled “Understanding Keystore Components”

When saving credentials for Capgo, you’ll need these values:

ValueEnvironment VariableDescription
Keystore fileANDROID_KEYSTORE_FILEBase64-encoded keystore file
Keystore passwordKEYSTORE_STORE_PASSWORDPassword to open the keystore
Key aliasKEYSTORE_KEY_ALIASName of your key in the keystore
Key passwordKEYSTORE_KEY_PASSWORDPassword for the specific key

Verify Your Keystore

Section titled “Verify Your Keystore”

Check that your keystore was created correctly:

Terminal window
# List all keys in the keystore
keytool -list -keystore my-release-key.keystore


# View detailed information about a specific key
keytool -list -v -keystore my-release-key.keystore -alias my-key-alias

You should see output showing your certificate details and expiration date.

Part 2: Create a Google Play Service Account

Section titled “Part 2: Create a Google Play Service Account”

A service account allows Capgo to automatically upload your app to the Google Play Store.

  1. Open Google Play Console

    Go to Google Play Console and sign in.

  2. Navigate to API Access

    In the left sidebar, go to Setup → API access.

  3. Create a new service account

    In the “Service accounts” section, click “Create new service account”.

    A dialog will appear with a link to Google Cloud Console.

  4. Create the account in Google Cloud

    Click the link to open Google Cloud Console in a new tab.

    In Google Cloud Console:

    • Click ”+ Create Service Account”
    • Service account name: Enter a descriptive name (e.g., capgo-play-upload)
    • Service account ID: Auto-generated from the name
    • Description: Optional (e.g., Service account for Capgo CI/CD uploads)
    • Click “Create and Continue”

  5. Skip the optional role assignment

    You don’t need to assign Google Cloud roles here. Click “Continue”, then “Done”.

  6. Create a JSON key

    Find your new service account in the list and click on it.

    Go to the “Keys” tab:

    • Click “Add Key” → “Create new key”
    • Select “JSON” format
    • Click “Create”

    The JSON file will download automatically. Keep this file secure!

  7. Grant Play Console permissions

    Go back to Google Play Console (the tab from step 3).

    Click “Refresh service accounts” or refresh the page.

    Find your new service account in the list and click “Manage Play Console permissions” (or “Grant access”).

  8. Set app permissions

    On the permissions page:

    Under “App permissions”:

    • Click “Add app”
    • Select your app from the list
    • Click “Apply”

    Under “Account permissions” (for the app you selected):

    • Check “Releases”“Create, edit, and delete draft releases”
    • Check “Releases”“Release to production, exclude devices, and use Play App Signing”
    • Check “Releases”“Release apps to testing tracks”

    Click “Invite user”.

  9. Verify the invitation

    The service account should now appear in your users list with the permissions you granted.

Required Permissions Summary

Section titled “Required Permissions Summary”

Your service account needs these minimum permissions:

PermissionRequired For
Create, edit, and delete draft releasesUploading new versions
Release to production, exclude devices, and use Play App SigningPublishing to any track
Release apps to testing tracksPublishing to internal/alpha/beta

Part 3: Save Credentials for Capgo

Section titled “Part 3: Save Credentials for Capgo”

Now save your credentials for use with Capgo Cloud Build:

Section titled “Using the CLI (Recommended)”
Terminal window
npx @capgo/cli build credentials save \
  --platform android \
  --keystore ./my-release-key.keystore \
  --keystore-alias "my-key-alias" \
  --keystore-key-password "YourKeyPassword" \
  --keystore-store-password "YourStorePassword" \
  --play-config ./play-store-service-account.json

Using Environment Variables

Section titled “Using Environment Variables”

For CI/CD environments, encode files as base64 and set environment variables:

Terminal window
# Encode keystore to base64
base64 -i my-release-key.keystore | pbcopy


# Encode service account JSON to base64
base64 -i play-store-service-account.json | pbcopy

Set these environment variables in your CI/CD secrets:

VariableDescription
ANDROID_KEYSTORE_FILEBase64-encoded keystore file
KEYSTORE_KEY_ALIASKey alias name in the keystore
KEYSTORE_KEY_PASSWORDPassword for the key
KEYSTORE_STORE_PASSWORDPassword for the keystore (optional if same as key password)
PLAY_CONFIG_JSONBase64-encoded service account JSON

Verify Your Setup

Section titled “Verify Your Setup”

Test that everything is configured correctly:

Terminal window
# List saved credentials
npx @capgo/cli build credentials list


# Run a debug build (no signing required)
npx @capgo/cli build com.example.app --platform android --build-mode debug


# Run a release build (requires signing)
npx @capgo/cli build com.example.app --platform android --build-mode release

Using Play App Signing

Section titled “Using Play App Signing”

Google Play App Signing is recommended for enhanced security. When enabled:

  • Google manages your app signing key
  • You upload with an “upload key” (your keystore)
  • Google re-signs with the actual app signing key

This is configured in the Play Console under Setup → App signing and doesn’t change how you use Capgo - you still provide your upload keystore.

Common Issues

Section titled “Common Issues”

”Keystore file not found”

Section titled “”Keystore file not found””

Cause: Incorrect path to keystore file.

Solution: Verify the file path is correct and the file exists:

Terminal window
ls -la ./my-release-key.keystore

“Keystore password incorrect”

Section titled ““Keystore password incorrect””

Cause: Wrong password entered.

Solution:

  1. Double-check the password (copy-paste to avoid typos)
  2. Verify which password is which:
    • KEYSTORE_STORE_PASSWORD: Opens the keystore file
    • KEYSTORE_KEY_PASSWORD: Accesses the specific key

Test with keytool:

Terminal window
keytool -list -keystore my-release-key.keystore
# Enter store password when prompted

“Alias does not exist”

Section titled ““Alias does not exist””

Cause: Key alias name doesn’t match.

Solution: List all aliases in your keystore:

Terminal window
keytool -list -keystore my-release-key.keystore

The alias is case-sensitive - use it exactly as shown.

”Play Store upload failed”

Section titled “”Play Store upload failed””

Cause: Service account permissions issue.

Solution:

  1. Verify the service account has correct permissions in Play Console
  2. Check that the JSON file is the correct one (not a different service account)
  3. Ensure your app exists in Play Console and has at least one manual upload
  4. Wait 24 hours if you just set up the service account (permissions can take time to propagate)

“APK signature verification failed”

Section titled ““APK signature verification failed””

Cause: Signing with a different key than previous releases.

Solution:

  • You must use the same keystore for all updates to an app
  • If you lost your keystore and use Play App Signing, contact Google support
  • If you lost your keystore without Play App Signing, you’ll need to create a new app listing

Security Best Practices

Section titled “Security Best Practices”

Keystore Security

Section titled “Keystore Security”

  1. Never commit to version control

    Terminal window
    # Add to .gitignore
    echo "*.keystore" >> .gitignore
    echo "*.jks" >> .gitignore

  2. Create backups

    • Store in a password manager (1Password, Bitwarden)
    • Keep encrypted backup in secure cloud storage
    • Document passwords separately from the keystore

  3. Use strong passwords

    • Minimum 16 characters
    • Mix of letters, numbers, and symbols
    • Different from other passwords

Service Account Security

Section titled “Service Account Security”

  1. Limit permissions

    • Only grant permissions needed for uploads
    • Don’t grant financial or user data access

  2. Never commit JSON to version control

    Terminal window
    echo "*-service-account.json" >> .gitignore

  3. Rotate if compromised

    • Delete the key in Google Cloud Console
    • Create a new service account if needed

Next Steps

Section titled “Next Steps”

Need Help?

Section titled “Need Help?”