Bubblewrap is a project created to help web developers package their Progressive Web Apps for distribution on Google Play and has been used as the foundation of some app bundling services. Often, though, this meant users were handing over their Android signing keys and password when creating a new project without knowing if they were being stored or potentially leaked. Having a leaked key could allow a malicious party to impersonate a developer and release harmful package updates that would otherwise appear to be legitimate.
The Android Package Signer repository is the best place to go to keep up-to-date with the package.
To add Android Package Signer to your project, first install it from NPM:
From there, require it in your project and initialize it. The password is a string and should be a minimum of six characters long. This will protect your keystore, so the longer the password, the better.
This will instantiate a class that can be used to generate a key and sign a package with a key. To generate a key, pass the class’s
generateKey method a DName object.
The response from the generateKey function is a base64-encoded der formatted PKCS12 keystore. As an example, to save this keystore to a file, download the base64Der string contents to a file. In the below example we use an anchor element with a href attribute containing the base64 encoded keystore. Using the File System Access API is also a good solution.
For signing an Android package, use the following:
signPackage signs and zipaligns your Android package returning a base64 encoded zip file which can be downloaded (can be downloaded similarly to how the key was downloaded) and distributed to your favorite Android application stores.
Please install the package and let us know what you think!