在Google Cloud Platform开发者控制台中为Android创建客户端ID时,我会看到以下弹出窗口:
重复的指纹
p>您在此项目或另一个项目中的Android OAuth2 客户端ID已使用您指定的指纹
作为弹出状态,我确实有另一个具有相同SHA-1指纹的项目。我不明白为什么我不能在多个项目中使用相同的SHA-1指纹(签名证书)?
如果您使用针对多个Android应用程序提供相同的调试或发行签名证书这对于调试证书并不是什么大问题,因为您可以随时创建一个新的版本,但是如果您已经使用相同的版本证书签署多个生产型Android应用程序,您是否可以不为每个应用程序创建单独的Google Cloud项目?
这是一个错误,还是您真的不能为多个Google Cloud项目使用相同的Android签名证书?
为每个Android应用始终使用新版本签名证书是否是最佳做法?
解决方案首先,为什么我们需要一个唯一的证书和包名称。我们之前决定不需要在android应用程序中指定clientID(对于开发简单性和缓解某些问题,例如,如果某人即使可以拥有相同的包名称,也没有证书,则不能声称/使用您的客户ID)。我们可以根据软件包名称和证书哈希来查找clientID。这要求组合是唯一的。那有意义吗?要清楚你可以使用相同的证书,以及不同的应用程序包名称,并且很多都可以。对于每个Android应用程序,总是使用新的发行版签名证书?
我认为有优点和缺点。如果您想要销售/更改应用程序的所有权(您拥有的许多应用程序),使用单独的证书将会更轻松。你也需要考虑妥协或丢失证书。 相同的证书使发布过程更容易,并声称它们来自同一实体。
When creating a client ID for Android in the Google Cloud Platform developer console, I get the following popup:
Duplicate fingerprint
The fingerprint you specified is already used by an Android OAuth2 client ID in this project or another project
As the popup states, I do have another project that has the same SHA-1 fingerprint. What I don't understand is why I can't use the same SHA-1 fingerprint (signing certificate) with multiple projects?
This has serious implications if you use the same debug or release signing certificates for multiple Android apps. This isn't a huge deal for debug certificates, since you can always create a new one, however if you've already used the same release certificate to sign multiple production Android apps, can you not create separate Google Cloud projects for each app?
Is this a bug, or can you really not use the same Android signing certificate for multiple Google Cloud projects?
Is it a best practice to always use a new release signing certificate for every Android app?
解决方案First why we need to have an unique cert and package name.. A while back we decide that you shouldn't need to specify clientID in the android app (for dev simplicity and mitigate certain issues e.g. someone can not claim/use your client id if they don't have the cert even if they can have the same package name). We can do a lookup the clientID based on the package name and cert hash. This requires the combination to be unique. Does that make sense? To be clear you can use the same cert along with a different package name of the app and many do.
Is it a best practice to always use a new release signing certificate for every Android app?
I think there are pros and cons. If you ever want to sell/change ownership an app (out of many you have), it would be easier with separate cert. Also you need to think about the compromise or loss of cert. Same cert does make release process easier and to claim that they are from the same entity.
更多推荐
无法创建Android OAuth2客户端ID(重复指纹)
发布评论