At this time, I have been unsuccessful generating a signed aab file for upload to Google Play from Android Studio. Still, others may have more success following these steps, since their environment will be different from mine. These steps are reasonably complete that you might try it out.
Google Play wants us to submit an .aab file instead of an .apk file so that Google Play could download just the files the user needs at the first download. (At this time, Google Play still accepts .apk files, however.) This could result in significant app install memory savings. You can learn more about this here: https://developer.android.com/guide/app-bundle
Until we have an automated command-line process from Apache Cordova, we can make this file with Android Studio. Here are the steps to do so. While making this article, I came across many errors in trying to make this process work. I ironed out the errors and pieced this workflow together so it is streamlined, otherwise it would have been twice as long to read about all my dead ends. (Along the way, I created an SDK. I’m not sure it is needed for these steps to work.)
When done, I deleted my project and started from scratch to make sure these steps worked.
This article assumes you’ve already downloaded and set up Android Studio (AS). If not, you can download it here: https://developer.android.com/studio
For more information on trying out AS, my old articles will give a few pointers, though they are a bit out of date:
Create the aab file
1. When your Apache Cordova app project has been created and finalized, launch Android Studio. (You don’t run ‘cordova build android’ for this process.)
2. Select Import Project (Eclipse ADT, Gradle, etc) in the home screen pane.
3. Select the Android platform directory in your project: <your-project>/platforms/android (with <your-project> being your own project’s name).
The project is being compiled. Click on the Build link, if it isn’t open already, and you can see the progress. (If you’re unsure where the links are, go to View > Tool Windows in the top menu bar.)
4. Check to see if there been an update to Android Studio to keep it current. In the top menu, click on Android Studio > Check for Updates… and accept the update. Mine was for 3.5. I accepted the defaults, including to delete directories of unused versions of AS on my computer. I haven’t used AS for a long while.
(At one point, the Event Log said that several components were ready to update:
“IDE and Plugin Updates: The following components are ready to update: Android Emulator, Google Play services, Intel x86 Emulator Accelerator (HAXM installer), Android SDK Platform-Tools, Android SDK Platform 27, Android TV Intel x86 Atom System Image, Google APIs Intel x86 Atom System Image, Google APIs Intel x86 Atom_64 System Image”)
I clicked on Update Now to update, and clicked through over the next few screens and waited for the Component Installer to finish downloading and unzipping over a few gigabytes of new packages.
5. In top menu bar, click on Build > Clean Project. (This removes the binaries inside build folders, the build artifacts, and postpones building them again until the next run, giving you a fresh slate to work with.)
6. In the top menu bar, click on Buildt > Build Bundle(s)/APK(s) > Build Bundle(s). I got an “Update the Android Gradle Plugin” notice. Building an Android app bundle requires this update. Clicked on Update.
9. In top menu bar, click on Project > Build Bundle(s)/APK(s) > Build Bundle(s).
10. The Event Log pane will give the time and status of your build:
08:19 Build Bundle(s) App bundle(s) generated successfully for 1 module: Module 'app': locate or analyze the app bundle.
You can click on “locate” to show the .aab file in the Finder window, in platforms/android/app/build/outputs/bundle/debug/app-debug.aab
At one point I clicked on Sync. Its pane was pointing out that there was something wrong with the Android manifest file, that the minSdk should not be there. I clicked on the Refactor link and fixed it. So check the Sync pane on occasion when you encounter problems.
Sign the aab file
Follow these steps in AS to sign the Android app bundle file. Right now, it is signed with an insecure keystore which Google Play doesn’t accept.
1. In top menu bar, click Build > Generate Signed Bundle / APK…
2. You’ll get options to sign an Android App Bundle (top option) or an APK. The Android App Bundle is selected by default (of course). Click on Next.
3. The Generate Signed Bundle or APK window has several fields to fill out. “app” should be in the Module field.
3a. If this is a revision or update of an existing app, then click on Choose existing… and navigate to your *.keystore file and select it. It should now appear in the Key Store Path field. If this is a new app, choose Create new…, fill in the fields, and put all of it down in a safe place so you don’t lose this information.
3b. Enter the Key store password in the field.
3c. Enter the Key alias.
3d. Enter the key password. (I don’t recall seeing this before.) It should be different from the password you chose for your keystore. Just create a new one if you don’t have it already, and note it in your password document.
3e. You have the option for AS to remember the passwords. You should take the time now to put down in a safe place all this information connected to this app. You don’t want to lose any of these passwords.
3f. You have the option to “Export encrypted key for enrolling published apps in Google Play App Signing.” Google recommends this option. If you ever lose your signing key, Google will have a copy of it.
3g. It will export the encrypted key (*.pepk file) to the Desktop unless you specify a different location. You will use this file in the Play store. See https://developer.android.com/studio/publish/app-signing.html#enroll_existing
3h. Click Next.
The Developer page says: “In Android Studio, you can configure your project to sign the release version of your app automatically during the build process by creating a signing configuration and assigning it to your release build type. A signing configuration consists of a keystore location, keystore password, key alias, and key password. To create a signing configuration and assign it to your release build type using Android Studio, complete the following steps:” https://developer.android.com/studio/publish/app-signing
4. This window says it will build a debug or release variant of the app. Click on one. You’ll want “release” for the Play Store. Note carefully the export path of the Destination Folder. Click on Finish.
If the signed app was made, you should get the Event Log message, “Locate exported key file.” You’ll click on the Locate link to find the file. It appears in a new Finder window. You can drag it out to the desktop.
Create the private key file
Use these steps to download and use the pepk.jar file as a standalone instance to create the encrypted *.pem file:
1. Open your Google Play developer console and sign in, https://play.google.com/apps/publish/
2. Go to left menu for your app: Release Management > App Signing.
3. Select “Export and upload a key from a Java keystore.”
4. Copy/paste the command to a text file:
java -jar pepk.jar –keystore=foo.keystore –alias=foo –output=encrypted_private_key_path –encryptionkey=<very long string of letters and numbers>
5. Click on the PEPK TOOL button and accept the pepk.jar file. Keep this console page open while you finalize the encryption key code in the next steps.
6. Customize the code as follows. This example assumes you are going to use the /Downloads folder for everything:
java -jar /Users/<YourName>/Downloads/pepk.jar –keystore=/Users/<YourName>/Downloads/<YourKeystoreFilename>.keystore –alias=<YourAppAlias> –output=/Users/<YourName>/Downloads/encryptedPrivateKey.pem –encryptionkey=<very long string of letters and numbers>
Path to the pepk.jar you downloaded in Step 5. If it was downloaded to the Mac’s Downloads folder and kept there, then use:
/Users/<YourName>/Downloads/pepk.jar (as usual, replace <YourName>) with your own information, without the pointy brackets).
Path to the *.keystore file that you used to sign your release APK. If you temporarily copied the *.keystore file to the Downloads folder:
The name of the alias you used to sign the release APK or aab.
The path of the output file, with .pem extension.
Don’t make any changes here. You’ll find it in the App Signing page — copy and paste it as in step 6 above. It’s a very long string of letters and numbers.
If you get the output error:Error: Unable to export or encrypt the private key java.io.FileNotFoundException: /Users/<YourName>/Downloads (Is a directory)
“/Downloads” is a directory and it is expecting me to end the URL with a filename, like “/Downloads/myAppKeystore.keystore”
You may want to save this information in a safe place with the rest of your app data.
7. Paste the code in the terminal and run it. You’ll be asked for the keystore password, then the key password. It should output the encryption file in the folder you specified (/Downloads/myAppNamePrivateKey.pem in my example).
8. Return to the console page and click on APP SIGNING PRIVATE KEY to upload the .pem file.
9. Click on Finish. You should next get an acknowledgement: “App Signing by Google Play is enabled for this app. Learn more.” You can also download the App Signing certificate (deployment_cert.der) and Upload certificate (upload_cert.der) from this page.
At the bottom it says, “If you lose your upload key, contact the developer support team for help resetting it.” Clicking on the link will take you to a form.
That’s it. You created an aab file and its associated encrypted file.
To change passwords: https://stackoverflow.com/questions/14606837/cannot-recover-key/17757850
Validating passwords: https://stackoverflow.com/questions/15967650/caused-by-java-security-unrecoverablekeyexception-cannot-recover-key