Android and Firebase - signing with the right keys

I recently moved from doing my Android development within a Debian virtual machine to working directly in my NixOS environment.  After getting the software installed I could build the Android package (APK) for eVitabu but it couldn't connect to the backend.  After hours of frustration, desk banging and research I finally stumbled across the answer - this post is to hopefully save you time.

Initially I'd held off developing for Android directly in NixOS because I was new to the OS and it can be awkward to get things working without reading a lot.  NixOS completely changes how you configure a Linux system (a single config file for everything, rather than one per application) so it seemed sensible to setup my development environment in something I knew better.  Sadly the VM was becoming unstable, often lagging, so I took the decision to go native.

What didn't work?

When the eVitabu app loads it connects to the management backend to pull down lists of contributors and content.  Access to the system is restricted to users approved by African Pastors Fellowship and authentication is handled by Google (using OAuth).  For authentication against Google to work correctly the APK has to be signed, and despite signing with APF's known key, authentication was still failing.  Looking at the backend logs I wasn't seeing anything useful, so you can probably tell why I was getting narked.

Firebase and authentication

Most of the work done on the eVitabu app had been done by my coding partner, Mike, so he'd also done most of the work with Firebase.  In a nutshell, for Google to allow your authentication request, Firebase has to know the certificate fingerprint for your app.  I'd taken the existing private and public keys from the virtual machine, and was signing the APK with them, so I was completely confused as to why Firebase was refusing the requests.  I didn't have any logs to go on within Firebase either.

Past experience meant I was pretty convinced the problem was caused by Firebase not liking the certificate that signed the app, I just needed to work out why.  Builds made in the VM environment still worked, so I knew it was something to do with the environment and not my code.  The question remained: what?

Signing your APK

Both Jetbrains IntelliJ Idea and Android Studio (also made by Jetbrains) have the ability to generate signed APKs.  In Android Studio this is done from the build menu, choosing generate signed bundle / APK.  You then specify the keystore, key and passwords and you're good to go after choosing if this will be a debug or release build.

Checking the APK is signed

After a bit of Googling I was able to determine if the APK was signed - you do this with the jarsigner command:

jarsigner -verify -certs -verbose debug/app-debug.apk

Adding the -verbose flag also allows you to see which certificate signed it, and I confirmed the charity's certificate was being used.  This only added to my confusion as that certificate was already trusted in Firebase.

The solution

Hours after I started looking in to this problem I found this StackOverflow question.  It wasn't exactly the same issue I was having but one of the comments mentioned a second key.  This was news to me!  On Linux the key is located at ~/.android/debug.keystore and I hadn't copied that file over from my VM.

Rather than add another fingerprint to Firebase I copied over the VM's key and rebuilt the app again.  Following a frustrating morning, and most of the working afternoon, I'd finally cracked it.

If you're facing a similar issue I hope this post helps you.  If you want to read more on eVitabu you can see this tag.

Banner image a combination of the Android and Firebase logos, copyright their respective authors, and "Simple ID card" from OpenClipart.org by j4p4n.