Rrocess to ensure that both your debug and release builds (including those distributed via Google Play) are correctly recognized by Firebase for Google Sign-In. Option Reading Might want to read SHA1 key hell regarding Gmail authentication and sign-in.
-
Debug Builds:
Your development builds are signed with the debug keystore (typically located in~/.android/debug.keystore). The SHA-1 fingerprint from this keystore is already added to Firebase, which is why sign-in works in the emulator. -
Release Builds & Google Play App Signing:
When you build a release APK/AAB, you use your own upload key (from your production/release keystore). However, if you opt into Google Play App Signing, Google re-signs your app with its own App Signing Key. Firebase needs the SHA-1 of this key to verify production installs downloaded from the Play Store.
-
Generate a Release Keystore:
If you haven’t already, create your upload key with a command like:keytool -genkeypair -v -keystore my-upload-key.keystore -alias my-key-alias -keyalg RSA -keysize 2048 -validity 10000
Keep this keystore secure and back it up.
-
Store Your Credentials:
In yourandroid/gradle.properties(make sure it’s in your.gitignore), add:MYAPP_UPLOAD_STORE_FILE=my-upload-key.keystore MYAPP_UPLOAD_KEY_ALIAS=my-key-alias MYAPP_UPLOAD_STORE_PASSWORD=your_keystore_password MYAPP_UPLOAD_KEY_PASSWORD=your_key_alias_password
-
Configure Gradle Signing:
Edit yourandroid/app/build.gradleto include a signing configuration:android { ... signingConfigs { release { if (project.hasProperty('MYAPP_UPLOAD_STORE_FILE')) { storeFile file(MYAPP_UPLOAD_STORE_FILE) storePassword MYAPP_UPLOAD_STORE_PASSWORD keyAlias MYAPP_UPLOAD_KEY_ALIAS keyPassword MYAPP_UPLOAD_KEY_PASSWORD } } } buildTypes { debug { // Uses default debug signing configuration } release { signingConfig signingConfigs.release minifyEnabled enableProguardInReleaseBuilds proguardFiles getDefaultProguardFile("proguard-android.txt"), "proguard-rules.pro" } } ... }
- Building the App:
In yourandroiddirectory, run one of the following:- For an APK:
./gradlew assembleRelease
- For an AAB (recommended for Play Store):
./gradlew bundleRelease
android/app/build/outputs/apk/release/orandroid/app/build/outputs/bundle/release/. - For an APK:
🔎 🔎 !! Watch App Bundles: Everything to know about Play App Signing - MAD Skills on YouTube.
-
Upload Your Build:
- Log in to the Google Play Console.
- Select your app and navigate to a testing track (Internal, Closed, or Production for release).
- Upload the signed APK/AAB that you just built.
-
Get the App Signing SHA-1:
- In the Play Console, go to Setup > App Integrity (or a similarly named section).
- Under the App Signing tab, you’ll see two certificates:
- App Signing Key Certificate: This is the SHA-1 that Google uses to re-sign your app for distribution.
- Upload Key Certificate: This is the SHA-1 of the key you used to upload your build.
- Copy the SHA-1 fingerprint of the App Signing Key Certificate.
This is the most critical fingerprint for ensuring that apps installed from the Play Store can authenticate with Firebase.
-
Add App Signing SHA-1:
- Open your Firebase project console.
- Go to Project Settings (the gear icon) → General tab.
- Under Your apps, select your Android app.
- In the SHA certificate fingerprints section, click Add fingerprint and paste the App Signing SHA-1 you just retrieved.
-
(Optional but Recommended) Add Upload Key SHA-1:
- Get your upload key’s SHA-1 by running:
keytool -list -v -keystore path/to/my-upload-key.keystore -alias my-key-alias -storepass your_keystore_password -keypass your_key_alias_password
- Add this SHA-1 to Firebase as well. This ensures that if you test a locally signed release build, it’s also recognized.
- Get your upload key’s SHA-1 by running:
-
Download Updated
google-services.json:
After updating the SHA-1s, download the updatedgoogle-services.jsonfrom Firebase and replace the file in yourandroid/app/directory.
-
Clean the Build:
From theandroiddirectory, run:./gradlew clean
-
Rebuild the Release Build:
Run the build command again (eitherbundleReleaseorassembleRelease). -
Test on a Physical Device:
Install the newly built release APK/AAB on a device (either directly or via the testing track in Play Console) and verify that the Google Sign-In flow works as expected.
-
Debug Environment:
- Debug SHA-1 fingerprint is added to Firebase.
-
Release Environment (Before Upload):
- Generate release keystore (upload key) and configure Gradle.
- Build a signed release APK/AAB.
-
Google Play Console Steps:
- Upload your signed APK/AAB.
- In the Play Console under Setup > App Integrity, locate and copy the App Signing Key SHA-1.
-
Firebase Update:
- Add the App Signing SHA-1 (and optionally, the Upload Key SHA-1) to Firebase.
- Download the updated
google-services.jsonand replace it in your project.
-
Final Steps:
- Clean and rebuild your project.
- Test the production build to ensure Google Sign-In works.
By following these steps, your production app should correctly authenticate with Firebase using Google Sign-In, both for internally signed release builds and for those distributed via the Play Store.
If any step is missed or misconfigured, Firebase won’t recognize the signing certificate from your production app, which is why it works on your emulator (debug SHA-1) but fails in production. This checklist ensures that all relevant SHA-1 fingerprints are properly configured.