CI/CD, Signing & Release Flashcards
BUILD & TOOLING › Delivery
- What is the difference between the upload key and the app signing key in Play App Signing?
- The upload key signs the AAB you send to Play; Google verifies it, strips it, and re-signs the delivered APKs with the app signing key it holds. The upload key can be reset if lost; the app signing key never changes for the app's lifetime.
- You lost your upload key. Can you still ship updates?
- Yes. Request an upload key reset in Play Console (Setup > App signing) and register a new upload certificate. The app signing key is untouched, so existing users update seamlessly with no package-name change.
- What happens if you self-manage signing (no Play App Signing) and lose the signing key?
- It is unrecoverable. You cannot publish updates to the same app; you must publish a brand-new app under a new package name, and existing users cannot upgrade. This is why Play App Signing is mandatory for new apps.
- Why does Google require Android App Bundles (AAB) instead of universal APKs for new apps?
- The AAB lets Google generate and sign optimized, per-device APKs (split by ABI, density, language), shrinking download size and enabling dynamic feature delivery. Re-signing requires Google to hold the app signing key, which AAB delivery enforces.
- Name the Google Play release tracks from least to most exposed.
- Internal testing (up to 100 testers, fastest), then closed testing (alpha, invite/email lists), open testing (beta, public opt-in), then production. You promote a build between tracks rather than rebuilding.
- What is a staged (phased) rollout and why use it?
- Releasing a production version to a percentage of users (e.g. 5% to 100%) so you can monitor crash rate and ANRs, then halt or roll back the rollout before it reaches everyone if metrics regress.
- How do you keep signing keystore secrets out of source control in a CI pipeline?
- Store the keystore base64-encoded and the passwords as encrypted CI secrets (GitHub Actions secrets, Bitrise secret env vars). Decode the keystore at build time and pass a keystore.properties path; never commit the .jks or passwords.
- What does Fastlane's 'supply' action do, and what is a 'lane'?
- supply uploads AABs/APKs, metadata, screenshots, and listings to the Play Console via the Play Developer API. A lane is a named sequence of actions in the Fastfile (e.g. lane :beta) you run with one command, locally or in CI.
- What credential does Fastlane (or any CI) need to publish to the Play Console, and how is it obtained?
- A Google Cloud service-account JSON key with the Play Android Developer API enabled and the account granted access in Play Console. It is stored as a CI secret and passed to supply via json_key.