CI/CD, Signing & Release Quiz

BUILD & TOOLING › Delivery

In Play App Signing, which key signs the APKs that users actually download from the Play Store?

Answer: The app signing key stored and used by Google

Google strips your upload signature after verification and re-signs the delivered APKs with the app signing key it stores; the upload key only protects the path from you to Play.

A developer's upload keystore is stolen. What is the correct recovery action?

Answer: Request an upload key reset in Play Console and add a new certificate

Because the app signing key is separate and held by Google, you simply reset the upload key; existing users keep updating normally with no package change.

Why is the Android App Bundle (AAB) format required for new apps on Google Play?

Answer: It lets Google build and sign optimized APKs for each device

The AAB defers final APK generation to Google, which splits and signs per density/ABI/language; this requires Google to hold the app signing key, which is why AAB plus Play App Signing is enforced.

Which Play Console track is best for a quick smoke test with a small, fixed group of internal QA users?

Answer: Internal testing

Internal testing supports up to 100 testers and is the fastest track to process, making it ideal for rapid internal QA before promoting to wider tracks.

What is the safest way to provide a release keystore to a GitHub Actions runner?

Answer: Store it base64-encoded in an encrypted secret, then decode it at build time

Secrets must never be committed or logged; encoding the keystore and storing it plus passwords as encrypted CI secrets, decoding only at build time, keeps them out of version control.

In Fastlane, what is a 'lane'?

Answer: A named workflow in the Fastfile run with a single command

Lanes are user-defined workflows in the Fastfile (e.g. lane :beta) that chain actions like gradle and supply, runnable identically on a laptop or CI server.

What credential does Fastlane's supply action need to upload a build to the Play Console?

Answer: A Google Cloud service-account JSON key with Play API access

supply authenticates to the Play Developer API using a service-account JSON key (json_key) that has been granted access in the Play Console; signing keys are unrelated to API auth.

During a 20% staged production rollout, your crash rate spikes. After halting the rollout, how do you get the 20% who already updated back onto a working version?

Answer: You can't downgrade installed users; ship a fix with a higher versionCode

Google Play never downgrades users to a lower versionCode, and halting a rollout only stops further distribution; the only fix is a new release with an incremented versionCode.

Which APK Signature Scheme first allowed an app's signing key to be rotated using a certificate lineage?

Answer: v3

APK Signature Scheme v3 (Android 9) introduced proof-of-rotation lineage so an app can switch signing keys while staying updatable; v1/v2 have no rotation and v4 only adds incremental streaming on top of v3.

Play rejects your new AAB with an error that the version code is already used. Which rule are you violating?

Answer: Every uploaded artifact needs a versionCode higher than any prior one

Play keys releases by an integer versionCode that must increase monotonically; reusing or lowering it is rejected regardless of the human-readable versionName.

Crash reports for your obfuscated release show meaningless class and method names in Play Console. What is missing?

Answer: The matching R8/ProGuard mapping.txt file for that release

Play Console can only un-obfuscate stack traces when the matching R8 mapping file is present (auto-included from an AAB or uploaded manually); without it the traces stay obfuscated.

In a GitHub Actions Android pipeline, why cache the ~/.gradle/caches and wrapper directories between runs?

Answer: It avoids re-downloading dependencies and reuses outputs to cut builds

Dependency and build caches let later CI runs skip network downloads and reuse up-to-date task outputs, substantially shortening builds; caching has nothing to do with signing or secret handling.

You add a CI service account to the Play Console for automated uploads. Which permission setup follows least privilege?

Answer: Grant only release rights for the app and tracks it publishes to

Least privilege means granting the service account only the release permissions for the apps and tracks it actually publishes to, limiting blast radius if the key leaks; Admin or owner credentials are over-scoped.

From a signed AAB, how do you locally produce and install the exact split APKs that Play would deliver to one connected device?

Answer: Use bundletool to build an APK set, then install-apks to the device

bundletool build-apks generates a device-specific .apks set from the AAB and install-apks pushes the matching splits, reproducing Play's per-device delivery locally; an AAB cannot be installed directly.

Back to CI/CD, Signing & Release