android - How to sign your app using the upload key

Question

I'm trying to publish my app to Google playstore, and I can not figure out how to sign the app use the upload key, as stated in https://developer.android.com/studio/publish/app-signing.html

I use Android Studio, and I signed the apk use Build -> generate signed APK, and created my own key at my own key store path/file. Now, to do the release, I need to use the google upload key, which confused me. So,

1. where can I find my upload key in Google Play Console? Under App signing of this app, I can see Upload certificate of MD5, SHA-1, SHA-256 and even download a upload.pem file. What do I do with it?

2. then exactly how do I use the Build -> generate signed APK in Android Studio to sign it with this so-called upload key?

My app uses google sign in to authenticate users. Right now it works if I just install my own apk. But if I download it from google store, it can not do the google authentication, for which I assume I screwed up the publication procedure.

FYI, I'm using the "Use Google Play App Signing" process.

Please help.

Answer 1

I think I've figured this out...

When you elect to use the Google App Signing process, Google Play CHANGES your uploaded app's signature to the SHA-1 certificate fingerprint of the App signing certificate (as against the Upload certificate). See Figure 1 at this Studio document for the process flow.

[Btw, you can find both app's certificates at Google Play Console -> Release Management -> App Signing]

This means that, for Oauth to work, you must create a new OAuth 2.0 credential (at console.developers.google.com) that uses the App signing certificate's fingerprint (as against the Upload certificate's fingerprint) with the same package name.

Your package will now have 2 Oauth credentials, one for production releases, the other for your development/testing. Both will have the same package name; the production credential will use the App signing fingerprint, while the dev/testing credential will use the Upload (or local keystore) fingerprint.

Obviously, you will not know the App signing fingerprint until your app is first deployed to Google play (GP assigns it). So, the production credential will need to be created after uploading to Google Play for the first time, but prior to clicking "Rollout to Production".