debug builds are not signed

[RobertFlatt]

Checklist

• the issue is indeed a bug and not a support request
• issue doesn't already exist: https://github.com/kivy/python-for-android/issues
• I have a short, runnable example that reproduces the issue
• I reproduced the problem with the latest development version (p4a.branch = develop)
• I used the grave accent (aka backticks) to format code or logs when appropriated

Versions

• Python: 3.8 and 3.10
• OS: Ubuntu 20.4 and 22.04
• Kivy: 2.1.0
• Cython: 0.29.19
• OpenJDK: 13 and 17

Description

"Android requires that all APKs be digitally signed with a certificate before they are installed on a device or updated." https://developer.android.com/studio/publish/app-signing.html

And specifically describes signing a debug build https://developer.android.com/studio/publish/app-signing.html#debug-mode

p4a does not sign a debug build. Given the clear statements above, this is a bug.

We are lucky that p4a built apks are usable, this is because the Android Package Manager signs unsigned packages. However the key that it uses depends on tool versions, so it changes with p4a updates that use new tools.

As a consequence after a p4a update, an app update install fails with the message:

Failure [INSTALL_FAILED_UPDATE_INCOMPATIBLE: Package org.test.whatever signatures do not match previously installed version; ignoring!]

Because the Package Manager auto generated key has changed.

The workaround is to delete the app. But this also deletes the app's private storage. Also the new install makes the app's pubic storage (which does persist) unwritable because the updated app has a new UID.

Proposed fix

The proposed fix is to have p4a generate and manage a key. The debug.keystore could for example be under ~/.buildozer if p4a is run from Buildozer.

Password privacy doesn't matter, this is not about security. The p4a debug password can be in plain text in p4a.

The first update will still give the message above, as apps transition from the 'we got lucky' key to an explicit key.

As a side effect, release setup get easier if p4a generates keys. The only thing the user needs to supply is one environment variable containing the their password.

[RobertFlatt]

User experience https://groups.google.com/g/kivy-users/c/1HWlLHUz6VY

These devices always have a, debug build, install update fail. "Conflicting app signatures"

Device#1: Xiaomi Mi 6 running MIUI 11 based on Android 9
Device #2: One Plus 6 running OxygenOS 11 based on Android 11

The assumption is that key generation (for default signing) is different on these OS.

[SomberNight]

For reference, in Electrum, we carry this patch for p4a:
SomberNight@be4fa2f
used like this:
https://github.com/spesmilo/electrum/blob/4b8790c9198fe2578e2b8fe769101c18a89dd0be/contrib/android/make_apk.sh#L70-L81
This way, a keystore specific to debug builds is generated on demand if not there yet, is persisted, and used.

I haven't tried to upstream the patch as I was not sure how to make it backwards-compatible and keep the current behaviour of p4a. The current patch requires setting the listed env vars.