Configuration of Android signing certificates and Google service account credentials: Flutter Android App Deployment — Part 1

In a recent article, I delved into the intricacies of implementing CI/CD pipelines for Flutter iOS applications using Fastlane and GitHub Actions. Building upon that foundation, I’ve embarked on a new endeavor, this time focusing on deploying of Flutter Android apps. However, the landscape has shifted slightly; I’m now exploring the integration of Azure and Fastlane into the CI/CD workflow.

This write-up isn’t a comprehensive tutorial but rather a curated compilation of essential considerations to streamline your development process and optimize cost management. By highlighting key points and potential pitfalls, my goal is to provide developers with the insights necessary to navigate the complexities of CI/CD implementation for Android apps while effectively leveraging Azure services and Fastlane.

Generated by Microsoft Image AI

This will be a series of three articles covering the following topics:

1. Configuration of Android signing certificates and Google service account credentials
2. Setting up Fastlane and running it on your local machine
3. Configuring Azure Pipeline

Let’s start now with the first article! Part 2 and 3 will follow step-by-step.

Okay, let’s take a deep breath and dive into this ocean 😮‍💨😮‍💨😮‍💨.

Configuration of Signing Credentials and Service Account Credentials

Let’s collect the necessary credentials for the process. You’ll need two credentials.

The first is the app signing details, which are crucial for signing your app. When you release Android App Bundles on the Google Play Store, you must sign your app bundle with an upload key before uploading it to the Play Console, as the Google Play Store uses this signature before deploying your app to validate the app. Google app signing then signs the app for the Play Store. Later, the upload key is utilized to create signed app bundles for release during the cloud build process. The upload key is stored in an Android keystore, typically a file with a “.keystore” or “.jks” extension.

The second one is the JSON key, which is crucial for authenticating as the Google service account used to upload the app bundle to the Google Play console. So how do we generate these keys?

Signing certificates

To generate this key, you have a couple of options. You can either utilize the graphical interface provided by Android Studio or opt for the command line tool.

Using the Android Studio GUI:

To generate a key with this method, you have to follow the following steps:

1. Go to Build>Generate Signed APK>Next (module selected would be your module, most often called “app”)

2. Click on Create new

3. Fill in the form with the required details

Using Command line

Just use the following command and provide an appropriate name for the alias, key name, and password.

keytool -genkey -v -keystore MY-RELEASE-KEY.keystore -alias MY_ALIAS_NAME -keyalg RSA -keysize 2048 -validity 10000 -storetype jks

Try to keep all this information secret🤫. Also remember the alias name, key password, and store password you used during the process. I would suggest storing them in a password manager.

KeyStore Explorer

You can also use a GUI tool to create and inspect your keystore files. This can also be used to change the passwords or edit the keystore afterwards.

Google Service Account Credentials

Deploying an Android app on the Google Play Store requires setting up a service account via the Google Cloud Console if you want to upload the app via CI. The service account provides the necessary credentials for accessing Google Play APIs. Tools like Fastlane utilise the service account’s JSON key file to automate app bundle deployment to the Play Store and streamlining the process

To get that service account's JSON key file we have to follow the given steps:

1. Log into the Google Cloud Platform and select IAM and Admin > Service Accounts.

2. Select ‘Create Service Account’.

In the pop-up, make sure all the provided information is correct. Click ‘Done’ once the above is filled out.

3. You will now see the page with a service account created. Select the account (hyperlinked):

4. Select ‘Add Key’:

5. Choose ‘Create New Key’:

6. After this process, you should have a JSON key downloaded, which is very important. Keep it secret and don’t lose it🙂.

Adding the Service Account as a User

In the Credentials > Service accounts section, you’ll find the service account you recently created. Copy the email address associated with this service account.

Once you have copied the email address, head to ‘Users and permissions’ in the Google play console, then choose ‘Invite new user’

On the page that opens, paste the copied email address into the ‘Email address’ section. Leave ‘Access expiry’ unchecked. Then, under ‘Account permissions’, check ‘Admin’, and finally, click ‘Invite user’.

Click ‘Send invite’ on the confirmation pop-up.

After inviting the user, navigate to the ‘Users and permissions’ section. You should locate the service account email address listed there, marked as active, with ‘Never expires’ underneath.

Don’t forget to securely store this JSON file in your vault/password manager for the upcoming steps.

Before moving on, you should manually upload your signed AAB (Android App Bundle) to an internal test, at least for the first time. This step will help recognize the app ID and sign configurations, enabling the next steps.

By now, you have acquired all the required credentials for automating the deployment.

For the next step, follow this article.

If you have any questions about the process, feel free to ask in the comments section.

Special thanks to Christian Navolskyi for proofreading the article.

That’s all for this article. See you in the next one!

ByeBye✌️.