App signing and keystore

Are apps made in mit app inventor already signed or they just provide us the keystore and we have to sign it

annoying and excessive tagging removed by Taifun

This is what app signing is all about

When you create an app with App Inventor, it is ‘automatically signed’ … **so you can stop worrying about app signing.**:wink: When you create the app, it is ALREADY SIGNED.

Keystores in App Inventor are described in the link Taifun provided in your previous post. App signing,How to sign an apk made in mit using the keystore exported from mit app inventor?

During the .apk building process, your application is signed with a digital private key that is associated with your account. Whenever you build a new version of your app, this same key is used to sign the new version. When an Android device has an application installed on it, it remembers the key that was used to sign the application. In order to install an updated version of an application, the new application must be signed by the same key. It is therefore important that you not lose this key! (Google Play also refers to the key as a certificate.)

Your private digital key is stored in a keystore file. Normally the MIT App Inventor server will create this file when needed and store it for you, so you do not need to worry about it. Although we do not anticipate losing your keystore file, we recommend that you back it up. From the designer under the “Projects” menu, there is a choice labeled “Download Keystore.” Select this option to download your keystore file to your local computer. Save the keystore file in a safe place. It should not be publicly readable: your private digital key is a secret that should not be shared, or else other people will be able to overwrite your apps in the Play Store.

If you move your project to another App Inventor server, you will want to upload your keystore to that server. There is a “Upload Keystore” option under the “Projects” menu). You need to do this only if you are publishing .apk files to Google Play or if you intend to share your application with other people.

IF YOUR KEYFILE IS LOST OR DELETED IT CANNOT BE RECOVERED. If you were to then lose your project’s source code, you would need to recreate the project from scratch. NEITHER YOU NOR MIT CAN RECOVER A LOST KEYFILE. NO AMOUNT OF EFFORT WILL RECOVER IT, SO BE SURE TO BACK IT UP!!!

Please refrain from tagging several user in your thread, this is annoying… we see your question… I removed the tags therefore. Also be patient while waiting for answers…

You might want to read a bit more about the community guidelines here

Thank you


Trying to push the limits! Snippets, Tutorials and Extensions from Pura Vida Apps by Taifun.

Just a note: Google requires that the contents of the exported keystore are repackaged as a zip file containing Google's own encryption of the private key and a self-signed public certificate containing the public key (both keys taken from the keystore exported from AI2). The program needed to do this is pepk.jar. It can be pulled down through the Google Play Console. Once you upload the output zip file, then you can successfully upload the apk that was signed for you by AI2.

P.S. The passwords are android for both the keystore and the private key. The alias for the key pair set in the keystore file is androidkey. You will need this info for successfully executing pepk.jar.

Also, since all the world knows the passwords for your AI2 keystore, you need to keep that file properly secured. AI2 is balancing usability against security. If your app is doing high value stuff, you might consider the implications of loosely secured private keys. An escaped private key can be used for shenanigans.