Hand Over Generation and Shipping, but Never the Signing Key — Designing Key Custody and Handover for an AI-Driven Pipeline

Even in an era where AI Studio and Antigravity take over everything from generation to internal-test shipping, the app signing key is in a class of its own. Lose it, and that app can never be updated again. As a solo developer who has run several apps for years, here is how I design key custody — separating the upload key from the app signing key, storing it, and planning the handover for the worst case.

AI Studio⁵ Antigravity²⁷¹ Android²³ Google Play⁵ app-dev⁴²

✦ Premium Article

A few years ago I nearly lost the keystore for one of my apps. The night before wiping an old Mac, I was looking over my backups and realized the .jks file wasn't in any of them. If I hadn't caught it that night, that app would have permanently lost any way to ship an update. Code can be regenerated. A signing key cannot.

Now that AI Studio and Antigravity connect generation to internal-test shipping in a single screen, most of the distribution pipeline can be handed to a machine. And it should be — those steps are reversible. But the signing key is different in kind. The key is the identity of the app itself; lose it and the app becomes something else. So in this article I'll write, as a design, how to handle the signing key inside an increasingly automated pipeline, and where a human keeps holding on.

First, split the key into two kinds

Google Play signing involves two keys of different natures. Load automation onto the pipeline while conflating them, and you'll place a key that must never be exposed within reach of the machine.

One is the app signing key. It signs the APK that finally reaches the user's device, and with Play App Signing, Google manages it. It is the root of the app's identity, and as a rule neither human nor machine touches it day to day. Not touching it is what keeps it safe.

The other is the upload key. It signs the AAB when you send it to the Play Console, and Google has it registered as your upload key. If CI sends builds automatically, the upload key is what signs them. The important point: the upload key can be re-registered if lost. Lose it, and you can swap in a new upload key through support. By contrast, in an old setup where you hold your own app signing key without Play App Signing, the moment you lose that key, updates are over.

That difference decides the line of automation directly.

Key type	Consequence of loss	May automation touch it?
App signing key (Play-managed)	Held by Google; not touched	No (you don't even have it)
Upload key	Recoverable by re-registration	Yes, inject into CI (store it strictly)
Self-held app signing key (legacy)	Updates impossible forever	Never; consider moving to Play signing

I myself moved every app I could to Play App Signing. Running automated distribution while holding a self-managed key felt like passing an irreversible risk through the pipeline every night. If you still have an old app you haven't moved, I'd settle that before strengthening automation.

Feed automated signing without leaving the key in plaintext

I said the upload key may be injected into CI. Even so, committing a .jks to the repo or hard-coding the password into a script is out of the question — all the more so when generative AI touches the code. Keep the key itself, and the password that opens it, outside the world of code.

Locally, put the key password in the Keychain or a secret store, and pass it to Gradle in a form that never shows the value directly.

// app/build.gradle.kts — don't bake key details into code; receive them from the env
import java.io.FileInputStream
import java.util.Properties
 
android {
    signingConfigs {
        create("release") {
            // Receive the path from an env var; never put the key file in the repo.
            val keystorePath = System.getenv("UPLOAD_KEYSTORE_PATH")
            if (keystorePath != null) {
                storeFile = file(keystorePath)
                storePassword = System.getenv("UPLOAD_KEYSTORE_PASSWORD")
                keyAlias = System.getenv("UPLOAD_KEY_ALIAS")
                keyPassword = System.getenv("UPLOAD_KEY_PASSWORD")
            }
        }
    }
    buildTypes {
        getByName("release") {
            signingConfig = signingConfigs.getByName("release")
        }
    }
}

In CI, store the key file as an encrypted secret in Base64, unpack it only into the job's temp area, and delete it reliably on exit. You confine the time the key sits on disk in plaintext to the few minutes of the build.

# GitHub Actions example — unpack the key temporarily, with cleanup as part of the gate
- name: Restore upload keystore
  env:
    KEYSTORE_B64: ${{ secrets.UPLOAD_KEYSTORE_B64 }}
  run: |
    echo "$KEYSTORE_B64" | base64 -d > "$RUNNER_TEMP/upload.jks"
    echo "UPLOAD_KEYSTORE_PATH=$RUNNER_TEMP/upload.jks" >> "$GITHUB_ENV"
 
- name: Build & sign AAB
  env:
    UPLOAD_KEYSTORE_PASSWORD: ${{ secrets.UPLOAD_KEYSTORE_PASSWORD }}
    UPLOAD_KEY_ALIAS: ${{ secrets.UPLOAD_KEY_ALIAS }}
    UPLOAD_KEY_PASSWORD: ${{ secrets.UPLOAD_KEY_PASSWORD }}
  run: ./gradlew bundleRelease
 
- name: Shred keystore
  if: always()
  run: shred -u "$RUNNER_TEMP/upload.jks" 2>/dev/null || rm -f "$RUNNER_TEMP/upload.jks"

The cleanup with if: always() is the crux — make sure the key file doesn't survive even when the build fails. When I first let an AI agent run all the way to automated signing, the pattern I fixed first was this "pair unpack with delete." Minimizing the time the key is exposed narrows the path by which it could slip into generated code or a temp log.

One caution: shred or rm only removes the file. Whether you've accidentally printed the key or password to the build log is a separate check. A setup that pipes the signing step's stdout straight into the log can, rarely, leak internal details. It's worth confirming your log masking settings once.

✦

Thank you for reading this far.

Continue Reading

What follows includes implementation code, benchmarks, and practical content we hope you'll find useful. This site runs without ads — server and development costs are supported entirely by members like you. If it's been helpful, we'd be truly grateful for your support.

WHAT YOU'LL LEARN

✦How to split the upload key from the app signing key, and draw the line between keys automation may touch and keys it never gets

✦Implementation steps for feeding a key to automated signing without leaving it in plaintext, both in CI and locally

✦An operating design for recovery and handover against three irreversibles: loss, leak, and the maker's absence

Secure payment via Stripe · Cancel anytime

✦

Unlock This Article

Get full access to the rest of this article. Buy once, read anytime. This site is ad-free — your support goes directly toward keeping it running.

Unlock all articles with Membership →

Prepare recovery and handover for three irreversibles

The fear around keys boils down to three irreversibles. Preparing a "before it happens" measure for each is the insurance that lets you operate for the long term.

Loss — three-place storage and a yearly recovery drill

The first is loss — the situation I described, where the key isn't in the backup. An upload key can be brought back by re-registration; a self-managed app signing key is the end. The measure is simple: store the key across at least three places, separated geographically and by medium. I keep a three-way setup — a secure note in a password manager, an encrypted offline medium, and encrypted storage in a trusted cloud. Just as essential is actually testing recovery once a year: pull the key from one of the places and confirm you can sign with it. A procedure written down but never run goes stale.

Leak — keep a swappable setup

The second is leak — a suspicion the key has gotten out somewhere. For an upload key, you can request a swap to a new upload key from the Play Console. That is exactly why moving a self-managed key to Play signing is worth it. Having the option to "swap it" at all is what makes the night easier. To catch signs of a leak early, I occasionally check the last-access time of secrets and the CI run history.

The maker's absence — a sealed handover

The third is hard to talk about: the maker's absence. Solo development tends to keep all knowledge of the key inside one person's head. After I started thinking about family who live apart from me, I began to include this in the design seriously. Without handing over the key itself, leave a sealed procedure for "where, and how, it is stored" and "whom to contact." Whether you pass an app on to someone or wind it down, leaving a single path by which the last operation can still be performed is, I feel, the maker's responsibility.

Key handover note (keep sealed; never write the key in the body)
- Target apps: <list of package names>
- Signing scheme: Play App Signing (only the upload key is self-held)
- Where the upload key is stored: <the location of all 3 places, with how to open each>
- Handover contacts for Play Console / distribution account: <point of contact>
- Last date recovery was verified: <YYYY-MM-DD>

This sealed note contains neither key nor password. It records only "where and how to open things to reach the key." A map to where the key lives, and the key itself, managed separately. That is my own preparation against the hardest irreversible to talk about — the maker's absence.

The upload key can be swapped without breaking anything

I've said the upload key is re-registerable, but actually running the swap once makes the decision during a leak surprisingly light. Nothing is scarier at 2 a.m. than touching a key-swap for the first time in a panic.

The skeleton of the process is simple: create a new key, request the registration swap from the Play Console, and replace the CI secret with the new key. Because Google still holds the app signing key, the signature that reaches users' devices doesn't change. In other words, swapping the upload key preserves the app's identity. That is the single biggest advantage of Play App Signing.

# Create a new upload key and export the certificate for registration
keytool -genkeypair -v \
  -keystore upload-new.jks -alias upload \
  -keyalg RSA -keysize 2048 -validity 9125
 
# Extract the PEM certificate to submit to the Play Console
keytool -export -rfc \
  -keystore upload-new.jks -alias upload \
  -file upload-new-cert.pem

Attach the exported certificate to the Play Console's upload-key reset request, and from then on you can send with the new key. After rotating a key, I always confirm in internal testing both that old builds signed with the old key are rejected and that the new key sends successfully — and only then do I switch the automation secret. Reversing that order has a pitfall: automated distribution can fail in the window before the swap takes effect.

The speed of automation, and the weight of what you keep holding

Now that generation and shipping connect in a single screen, the range we can entrust to machines has genuinely widened. What should be entrusted, entrust without hesitation — the round trip of reversible steps is faster by machine than by hand.

But at the center of that speed, one thing of a different nature remains: the signing key. It is not a target of convenience but the identity of the app itself, and lost, it cannot be recovered. So feed the upload key to automated signing under strict storage, leave the app signing key to Play, and prepare the paths of recovery and handover in advance.

If you do just one thing next, confirm that the key for an app you run today can really be pulled from three places. Take the key out of one place and go all the way to a passing signature. With that confirmed, no matter how far you push automation, the footing, I think, will feel steady.

Thank You for Reading

Antigravity Lab is ad-free, supported entirely by members like you. We publish practical guides daily with implementation code, benchmarks, and production-ready patterns. If you've found it useful, we'd love to have you on board.