[JIRA] (JENKINS-58310) Can I use the android signing plugin to sign android app bundles?

9 views
Skip to first unread message

artemy.kilin@gmail.com (JIRA)

unread,
Jul 3, 2019, 3:45:02 AM7/3/19
to jenkinsc...@googlegroups.com
Artemy Kilin created an issue
 
Jenkins / Task JENKINS-58310
Can I use the android signing plugin to sign android app bundles?
Issue Type: Task Task
Assignee: Robert St. John
Components: android-signing-plugin
Created: 2019-07-03 07:44
Priority: Major Major
Reporter: Artemy Kilin

We are migrating to the new android app bundle format and I'd like to keep signing my aab files with the same signing plugin. Is it possible with existing signing plugin implementation?
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

restjohn@gmail.com (JIRA)

unread,
Jul 3, 2019, 7:33:01 AM7/3/19
to jenkinsc...@googlegroups.com
Robert St. John commented on Task JENKINS-58310
 
Re: Can I use the android signing plugin to sign android app bundles?

To be quite honest, I don't know.  Do you have a build you can try already?  I'll look into it when I get a few spare moments in the next couple of days.

restjohn@gmail.com (JIRA)

unread,
Jul 8, 2019, 1:01:02 AM7/8/19
to jenkinsc...@googlegroups.com

Some brief research unfortunately reveals that the plugin cannot sign AABs, currently. I can probably get around to implementing a solution that uses Java's JarSigner API. In the interim, you should be able to use Java's `jarsigner` command-line utility and the Credentials Binding Plugin to sign your AABs. Just be aware of some of the security concerns that go along with that approach.

restjohn@gmail.com (JIRA)

unread,
Jul 8, 2019, 7:28:03 AM7/8/19
to jenkinsc...@googlegroups.com
Robert St. John edited a comment on Task JENKINS-58310
Some [brief research|https://developer.android.com/studio/build/building-cmdline#sign_cmdline] unfortunately reveals that the plugin cannot sign AABs, currently.  I can probably get around to implementing a solution that uses Java's [ {{JarSigner}} |https://docs.oracle.com/en/java/javase/11/docs/api/jdk.jartool/jdk/security/jarsigner/JarSigner.html] API.   Pull requests are welcome as well, if you're so inclined.   In the interim, you should be able to use Java's ` {{ jarsigner ` }} command-line utility and the [ Credentials Binding Plugin |https://plugins.jenkins.io/credentials-binding] to sign your AABs.  Just be aware of some of the [security concerns|https://jenkins.io/doc/pipeline/steps/credentials-binding/#withcredentials-bind-credentials-to-variables] that go along with that approach.   You could also enroll in Google Play's app signing, as the [Android docs describe|https://developer.android.com/guide/app-bundle#get_started], if that's an option for you.

artemy.kilin@gmail.com (JIRA)

unread,
Jul 8, 2019, 8:01:03 AM7/8/19
to jenkinsc...@googlegroups.com

Thank you for you reply, I'll choose the most proper option. I hope one day the plugin will be able to sign aab though.

restjohn@gmail.com (JIRA)

unread,
Jul 8, 2019, 8:04:02 AM7/8/19
to jenkinsc...@googlegroups.com
Robert St. John updated an issue
 
Jenkins / New Feature JENKINS-58310
Change By: Robert St. John
Issue Type: Task New Feature
Reply all
Reply to author
Forward
0 new messages