Skip to main content

Android code signing using the Android Sign Step

Abstract

You can create a signed APK using the Android Sign Step in your Bitrise Workflow. This Step is configured to run if you have already uploaded your keystore file on the Code signing tab of the Workflow Editor.

You can create a signed APK using the Android Sign Step in your Bitrise Workflow. This Step is configured to run if you have already uploaded your keystore file on the Code Signing tab of the Workflow Editor.

The Android Sign Step is not required if signing is configured in your project’s build.gradle file. If so, running the Android Build Step (or the Gradle Runner Step) signs the output (APK or AAB) automatically. Nevertheless, we recommend that you use the Android Sign Step to sign your project in an easy and secure way.

jarsign and apksigner

APKs can be signed with either jarsigner or apksigner. For APKs, if you wish to use apksigner to sign your project, then in the Android Sign Step you have to first set the Enables apksigner input to true and leave the APK Signature Scheme input on automatic. This way apksigner checks your APK’s minimum and target SDK versions and chooses the required schemes. It signs your project with V1 scheme if your minimum supported version is low and it also signs with other schemes for newer systems.

Please note that AAB files can only be signed with jarsigner. The Step uses jarsigner if it detects a file ending with .aab

  1. Open your app on Bitrise.

  2. Click the Workflows button on the main page.

    opening-workflow-editor.png

  3. Go to Code Signing > Android Code Signing.

  4. Drag-and-drop your keystore file to the Upload file field of the ANDROID KEYSTORE FILE section.

    A keystore URL automatically gets generated once you upload the keystore file. Bitrise assigns an Environment Variable (BITRISEIO_ANDROID_KEYSTORE_URL) to the download URL (which is a time-limited, read-only download URL) of the file as the value. No need to download it manually as the Android Sign Step downloads it automatically.

  5. Fill out the displayed three input fields with your credentials:

    • Keystore password

    • Keystore alias

    • Private key password

  6. Click Save metadata.

    When you have successfully uploaded a keystore file to the ANDROID KEYSTORE FILE section, Bitrise will automatically export the following Environment Variables based on your input:

    • $BITRISEIO_ANDROID_KEYSTORE_ALIAS

    • $BITRISEIO_ANDROID_KEYSTORE_PASSWORD

    • $BITRISEIO_ANDROID_KEYSTORE_PRIVATE_KEY_PASSWORD

    • $BITRISEIO_ANDROID_KEYSTORE_URL

  7. Add the Android Sign Step to your Workflow after the Step that builds your APK or AAB file.

    Bitrise uses the above Environment Variables and sets them as inputs into the respective fields of the Android Sign Step. Once the Step runs, it produces either a signed APK or an AAB. The signed APK or AAB is used in deploy Steps, for example, the Google Play Deploy Step or the Deploy to Bitrise.io Step. The latter deploys the APK/AAB on the Artifacts tab. You can also use Ship to deploy your app once you built an APK/AAB file.

Downloading your keystore file

You can download your keystore file to the project directory from the ANDROID KEYSTORE FILE section using the File Downloader Step:

- file-downloader:
   inputs:
   - source: $BITRISEIO_ANDROID_KEYSTORE_URL
   - destination: "$HOME/keystores/my_keystore.jks" #native android#

If a Step requires the keystore file, make sure to include that Step AFTER the File Downloader Step.

After this Step, my_keystore.jks will be available at $HOME/keystores/my_keystore.jks.

In this section:

A Step is a block of script execution that encapsulates a build task on Bitrise: the code to perform that task, the inputs and parameters you can define for the task, and the outputs the task generates.

A Workflow is a collection of Steps, Environment Variables, and other configurations. When Bitrise starts a build, it runs one or more Workflows according to the configuration defined in the bitrise.yml file.