Use ONE store App Signing

Using ONE store App Signatures

In order to use the Android App Bundle, you must use either the app signing key created on ONE store or register the app signing key you created yourself.

This is due to Androids requiring digital signatures via certificates when installing or updating APK.

ONE store does not mandate the use of the Android App Bundle.

However, once you switch to the Android App Bundle, you cannot switch to APK again. Please keep this in mind.

If your products currently for sale are as follows, we recommend that you continue to use APK.

1. If two or more binaries are registered for sale and the following are applicable:

   1. Different package names are used for products for sale

   2. Different signature keys are used for products for sale

2. If apps are registered via UDP

ONE store App Signature Security

ONE store keys are stored in the infrastructure where ONE store generates and stores its own keys.

It is protected by the ONE store key management service.

Android apps are signed with a private key. To ensure that app updates can be trusted, all private keys have public certificates that devices and services use to verify that the app is published from a trusted source.

Devices will only accept updates if the signature of the update matches the signature of the installed app. You can make this process more secure by allowing ONE store to manage this app signing key.

ONE store Key Management Security

The ONE store key management system has several levels of security to keep the member's app signing keys safe.

1. Encrypts and manages app signing keys at each step.

   1. Hardware encryption (AES256)

   2. Database encryption (AES128/AES256 + RSA)

   3. Transmission interval encryption (ECDH+AES)

2. Distributed storage of encryption keys.

   1. In each section, keys are distributed and stored so that the data cannot be known even if it is exposed due to human error.

3. Blocked exposure of app signing keys and key management system.

   1. The key management system is restricted from outside access, and all tasks related to app signing keys are delegated to the key management system to prevent key information from being exposed outside of the system.

4. Hardware access restrictions.

   1. Manages and operates with minimal hardware that can communicate with the key management system.

5. User authentication.

   1. Implements secondary authentication for users accessing the key management server, allowing only essential users access.

App signature

ONE store provides app signing options as follows:

1. Let ONE store manage and protect your app signing key

2. Use the same key as another app in this developer account

3. Export and upload a key from Java keystore

4. Export and upload a key (not using Java Keystore)

5. Disable app signature (Upload signed APK without registering signing key)

Signature Options

1. Let ONE store manage and protect your app signing key

• This is an option for ONE store to create and save signing keys directly.

• Products sold under the existing APK cannot be updated if the signing key is changed. Therefore, only newly created products can be used.

• If your app is using a solution or feature (such as Google Login) that checks for a signing key match, you should provide certificate fingerprints to the company in New binary > signing key information.

• If you are already using a product solution or feature that is being sold in another market, please select the Export and upload a key from Java keystore option or Export and upload a key (not using Java Keystore) option.

2. Use the same key as another app in this developer account

• This is an option to use the same signing key as a previously registered or created signing key in another app.

• You can only connect with other signing keys within the developer account, and you can use this option if you need to link with other apps.

3. Export and upload a key from Java keystore, Export and upload a key (not using Java Keystore)

• Options for registering and using user-created signing

• You can encrypt the created signing keys using the Play Encrypt Private Key (PEPK) tool to securely transfer and store them in ONE store.

4. Disable app signature (Upload signed APK without registering signing key)

• This is an option that is managed directly by the developer without registering or generating keys on ONE store.

• If you do not use the app signature provided by ONE store, you must register the signed APK.

App Signing and Registration Procedures

New Products (signature option available)

1. Confirm whether to register the product as APK or AAB. New products can be sold by registering them as APK or AAB, but if sold as AAB, they cannot be updated to APK.

2. Generate the upload key and sign using the key.

3. For AAB, select the option to register the AAB file, then select the signature option (#1-3). Then, register the AAB file.

4. For APK, select the option to register the APK file, then select the signature option (#1-4). Then, register the APK file.

Registered Products(signed directly by developer)

1. Confirm whether to register the app update as APK or AAB.

   1. Products sold as APK can be converted to Android App Bundles or continued to be used as APK. However, app signatures are not supported for using multi-binary APK.

   2. Products sold as AAB can only be registered as AAB, even when updating the app.

2. If you update an APK without using app signatures, select the option to register the APK file and select the signature option (#4). Then, register the APK file.

3. If you update an APK while using app signatures, select the option to register the APK file and select the signature option (#1-3). Then, register the APK file.

4. When updating an APK that did not use app signatures to AAB, select the option to register the AAB file and select the signature option (#2-3). Then, register the AAB file (if you convert to an Android App Bundle, you cannot convert it back to APK).

Replacing Lost or Stolen Upload Keys

If your upload key is lost or stolen, go to Contact Us > Technical Support and request a replacement with the product title specified, and we will replace the upload key for you. When making your request, please attach a new upload key upload_certificate.pem file. Once the replacement is complete, you can update the product with the new upload key.

App Signature

Terms	Details
App signing key	This key is used for APK signatures, for distribution to users’ devices on ONE store. The ONE store app signature allows you to create a key or register a key being used by an app that is for sale.
Upload key	This key is used to verify the identity of the developer when registering apps on ONE store. When updating a product, you must upload a file that has been signed by the same upload key.
Certificate (.der or .pem)	A certificate contains additional identification information about a public key and its owner. A public key certificate allows anyone to verify who signed the App Bundle, as well as share it with others, as it does not contain a private key. To register a key with an API provider, download the public certificate of the app signing key and upload key from the binary file details signature page. Public key certificates can be shared with others and do not include private keys.
Certificate fingerprint	There are many cases where API providers request certificate fingerprints (in short, unique formats) along with package names. Certificate fingerprints are used to register apps with the provider service. The MD5, SHA-1, and SHA-256 fingerprints on the upload and app signature certificates can be found on the app signature page (via the binary file details signature page). You can also download the original certificate (.der) from that page and convert it to another fingerprint.
Java keystore (.jks or .keystore)	Storage for security certificates and private keys.
Play Encrypt Private Key (PEPK) tool	A tool for exporting and encrypting private keys from the Java Keystore and sending them to ONE store. Download and use the tool from the Internet or a legitimate source. If desired, you can use the open source code of the PEPK tool.