How does Android code signing work in Flutter?
TL;DR: Create a keystore with keytool, configure signingConfigs in android/app/build.gradle, and store credentials in a key.properties file (not committed to git). For CI, store the base64-encoded keystore in GitHub Secrets.
Full Answer
Every release APK/AAB must be signed with your keystore before uploading to Google Play. The same keystore must be used for all future updates — losing it means creating a new app listing.
Steps
- ▸keytool -genkey -v -keystore release.jks -keyalg RSA -keysize 2048 -validity 10000
- ▸Create android/key.properties with storeFile, storePassword, keyAlias, keyPassword
- ▸Add key.properties to .gitignore immediately
- ▸Configure build.gradle signingConfigs.release block
- ▸flutter build appbundle --release
Back up your keystore file and passwords immediately in a secure password manager. Losing them means your app can never be updated on Google Play — you'd have to create a new listing.
Code Examples
// flutter build appbundle --release // Signed AAB ready for Google Play upload
Common Mistakes
- ✗Committing key.properties or the .jks file to the repository
- ✗Using the same keystore for development and production — keep them separate
Interview Tip
Losing your keystore is catastrophic. Show you know to back it up securely and that Google Play's App Signing by Google can be a safety net for the upload key.