应用凭据
了解 Android 和 iOS 需要什么应用凭据。
Expo 自动化了为 Android 和 iOS 签名应用的过程,但在这两种情况下,你都可以选择提供自己的覆盖设置。EAS Build 可以生成已签名或未签名的应用,但要通过应用商店分发你的应用,它必须是已签名的应用。
🌐 Expo automates the process of signing your app for Android and iOS, but in both cases, you can choose to provide your overrides. EAS Build can generate signed or unsigned applications, but to distribute your application through the stores, it must be a signed application.
在此页面上,你将了解每个平台所需的凭证。如果你想了解我们如何在本端存储你的凭证,请查看我们的安全文档。
🌐 On this page, you'll learn about the credentials that each platform requires. If you're curious about how we store your credentials on our end, take a look at our security documentation.
安卓
🌐 Android
谷歌要求所有 Android 应用在安装到设备或更新之前,必须通过证书进行数字签名。通常,私钥及其公钥证书会存储在密钥库中。过去,上传到应用商店的 APK 需要使用应用签名证书进行签名(该证书会附在 Play 商店中的应用上),如果密钥库丢失,则无法恢复或重置。现在,你可以选择使用 Google Play 的应用签名功能,只需上传使用上传证书签名的 APK,Google Play 会自动替换为应用签名证书。旧方法(应用签名证书)和新方法(上传证书)本质上是相同的机制,但使用新方法时,如果上传密钥库丢失或被泄露,可以联系 Google Play 支持团队重置密钥。
🌐 Google requires all Android apps to be digitally signed with a certificate before they are installed on a device or updated. Usually, a private key and its public certificate are stored in a keystore. In the past, APKs uploaded to the store were required to be signed with the app signing certificate (a certificate that will be attached to the app in the Play Store), and if the keystore was lost there was no way to recover or reset it. Now, you can opt-in to App Signing by Google Play and simply upload an APK signed with an upload certificate, and Google Play will automatically replace it with the app signing certificate. Both the old method (app signing certificate) and new method (upload certificate) are essentially the same mechanisms, but using the new method, if your upload keystore is lost or compromised, you can contact the Google Play support team to reset the key.
从 Expo 构建过程的角度来看,应用是使用 上传证书 还是 应用签名密钥 进行签名,没有任何区别。无论哪种方式,eas build 都会生成使用当前与你的应用关联的密钥库签名的 .apk 或 .aab 文件。如果你想手动生成一个上传密钥库,你可以像创建原始密钥库的方式一样进行操作。
🌐 From the Expo build process's perspective, there is no difference between whether an app is signed with an upload certificate or an app signing key. Either way, eas build will generate an .apk or .aab signed with the keystore currently associated with your application. If you want to generate an upload keystore manually, you can do that the same way you created your original keystore.
请参阅 Android 文档 以获取有关此过程的更多信息。
🌐 See Android's documentation to find more information about this process.
Google Play 的应用签名
🌐 App signing by Google Play
当你首次将应用发布到 Google Play时,你会看到关于“由 Google Play 进行应用签名”和“Google 正在保护你的应用签名密钥”的提示。这是默认行为,你无需采取任何操作,只需点击“继续”。
🌐 When you upload your first release to Google Play you will see a notice about "App signing by Google Play" and "Google is protecting your app signing key". This is the default behavior and requires no action on your behalf except to press "Continue".
如果你当前自行管理应用签名密钥,并希望由 Google 为你管理,请参阅 使用 Google Play 应用签名。
🌐 If you currently manage your app signing key and want Google to manage it for you, see Use app signing by Google Play.
丢失了密钥库?了解如何在 Google Play 上重置你的上传密钥
要将你的 Expo 密钥库与 Google 同步,请按照以下步骤操作:
🌐 To sync your Expo keystore with Google, follow these steps:
下载凭证
🌐 Download credentials
在终端窗口中:
🌐 In a terminal window:
- 运行
eas credentials命令。 - 选择
Android作为平台以及你希望下载其凭证的配置文件。 - 选择选项
credentials.json: Upload/Download credentials between EAS servers and your local json。 - 选择
Download credentials from EAS to credentials.json。
你的应用的密钥库应该保持私密。在任何情况下都不应将其提交到你的代码仓库。 唯一的例外是调试密钥库,因为我们不会使用它们上传应用到 Google Play 商店。
🌐 Your application's keystore should be kept private. Under no circumstances should you check it into your repository. Debug keystores are the only exception because we don't use them for uploading apps to the Google Play Store.
将密钥库导出为 pem 格式
🌐 Export keystore to pem format
下载了你的凭证和密钥库后,将其导出为 pem 格式,以便你可以提交给 Google:
🌐 Once you have downloaded your credentials and the keystore, export it to the pem format so that you can submit it to Google:
- 在你的 credentials.json 文件中,在
keyAlias键下找到密钥别名。 - 使用
keytool导出证书:
- keytool -export -rfc -alias alias_from_step_1 -file certificate_for_google.pem -keystore ./path/to/keystore.jks联系谷歌支持
🌐 Contact Google support
联系谷歌支持,并请求他们使用 此支持表单 更改你的密钥。在填写表单时,附上从密钥库导出的 pem 文件。
🌐 Contact Google Support and request them to change your key using this support form. While filling out the form, attach the pem file exported from the keystore.
一旦 Google 在你的账户上更新了此内容,通过 eas build 创建的构建将会按 Google Play 商店的预期正确签名。请注意,Google 会将新上传证书的有效开始日期设置为未来 72 小时,因此在执行此过程后,你需要等待才能进行第一次提交。
🌐 Once Google updates this on your account, builds created through eas build will be correctly signed as expected by the Google Play Store. Note that Google will set the validity start date of the new upload certificate to 72 hours in the future so you'll have to wait before your first submission after performing this process.
iOS
三个主要的 iOS 凭证,它们都与你的苹果开发者账号相关,分别是:
🌐 The 3 primary iOS credentials, all of which are associated with your Apple Developer account, are:
- 分发证书
- 配置描述文件
- 推送通知密钥
无论你是让 EAS 管理所有的凭证,还是自己管理,了解每个凭证的含义、使用的时间和地点,以及它们过期或被撤销时会发生什么,都是很有价值的。你可以通过运行 eas credentials 使用 EAS CLI 检查和管理所有凭证。
🌐 Whether you let EAS handle all your credentials, or you handle them yourself, it can be valuable to understand what each of these credentials means, when and where they're used, and what happens when they expire or are revoked. You can inspect and manage all your credentials with EAS CLI by running eas credentials.
分发证书
🌐 Distribution certificate
分发证书是关于你这个开发者的,而不是关于任何特定的应用。你的 Apple 开发者账户中只能有一个分发证书。这个证书将用于你所有的应用。如果该证书过期,你在生产环境中的应用不会受到影响。然而,如果你想上传新的应用到 App Store 或更新任何现有应用,你需要生成一个新的证书。删除分发证书不会影响已经在 App Store 上的任何应用。你可以在下次构建应用时,通过运行 eas credentials 并按照提示操作来清除 Expo 当前为你的应用存储的分发证书。
🌐 The distribution certificate is all about you, the developer, and not about any particular app. You may only have one distribution certificate associated with your Apple Developer account. This certificate will be used for all of your apps. If this certificate expires, your apps in production will not be affected. However, you will need to generate a new certificate if you want to upload new apps to the App Store or update any of your existing apps. Deleting a distribution certificate has no effect on any apps already on the App Store. You can clear the distribution certificate Expo currently has stored for your app the next time you build by running eas credentials and following the prompts.
推送通知密钥
🌐 Push Notification keys
苹果推送通知密钥(通常缩写为 APN 密钥)允许关联的应用发送和接收推送通知。
🌐 Apple Push Notification Keys (often abbreviated as APN keys) allow the associated apps to send and receive push notifications.
你的 Apple 开发者账户最多可以关联 2 个 APN 密钥,且单个密钥可以用于任意数量的应用。如果你撤销某个 APN 密钥,所有依赖该密钥的应用将无法发送或接收推送通知,直到你上传新的密钥以替换它。上传新的 APN 密钥不会更改用户的 Expo 推送令牌。推送通知密钥不会过期。你可以通过运行 eas credentials 并按照提示操作,清除 Expo 当前为你的应用存储的 APN 密钥。
🌐 You can have a maximum of 2 APN keys associated with your Apple Developer account, and a single key can be used with any number of apps. If you revoke an APN key, all apps that rely on that key will no longer be able to send or receive push notifications until you upload a new key to replace it. Uploading a new APN key will not change your users' Expo Push Tokens. Push notification keys do not expire. You can clear the APN key Expo currently has stored for your app by running eas credentials and following the prompts.
由 Expo 创建的 APN 密钥可以在 Expo 网站 下载。
配置描述文件
🌐 Provisioning profiles
每个配置文件都是特定于应用的,这意味着你为提交到 App Store 的每个应用都会有一个配置文件。这些配置文件与你的分发证书相关联,因此如果证书被吊销或过期,你也需要重新生成该应用的配置文件。与分发证书类似,吊销应用的配置文件不会对已经在 App Store 上的应用产生任何影响。
🌐 Each profile is app-specific, meaning you will have a provisioning profile for every app you submit to the App Store. These provisioning profiles are associated with your distribution certificate, so if that is revoked or expired, you'll need to regenerate the app's provisioning profile, as well. Similar to the distribution certificate, revoking your app's provisioning profile will not have any effect on apps already on the App Store.
配置文件在 12 个月后会过期,但这不会影响已上线的应用。下次构建应用时,你只需通过运行 eas build -p ios 创建一个新的配置文件,或者使用 eas credentials 手动创建。
🌐 Provisioning profiles expire after 12 months, but this won't affect apps in production. You will just need to create a new one the next time you build your app by running eas build -p ios, or manually with eas credentials.
概括
🌐 Summary
| 凭证 | 每账户限制 | 应用特定? | 可撤销且无生产环境影响? | 使用时间 |
|---|---|---|---|---|
| 分发证书 | 2 | 构建时 | ||
| 推送通知密钥 | 2 | 运行时 | ||
| 描述文件 | 不限 | 构建时 |
清除凭据
🌐 Clearing credentials
当你使用 eas credentials 命令删除你的凭据时,这只会从 Expo 的服务器上移除这些凭据。这并不会从 Apple 的角度删除凭据。这意味着要完全删除你的凭据(例如,如果你想要一个新的推送通知密钥,但你已经有两个),你需要从 Apple 开发者控制台 进行操作。
🌐 When you use the eas credentials command to delete your credentials, this only removes those credentials from Expo's servers. It does not delete the credentials from Apple's perspective. This means that to fully delete your credentials (for example, if you want a new push notification key, however, you already have two), you'll need to do so from the Apple Developer Console.
重新签署新凭证
🌐 Re-signing new credentials
你可以使用 eas build:resign 对现有的 iOS .ipa 文件进行代码签名,以适配新的临时分发(ad hoc)配置描述文件。这有助于在内部分发时节省时间 —— 例如,如果你想在现有构建中添加一个新的测试设备,可以使用此命令更新配置描述文件以包含该设备,而无需从头重新构建整个应用。
🌐 You can use eas build:resign to codesign an existing .ipa for iOS to a new ad hoc provisioning profile. This helps reduce time when distributing internally — for example, if you want to add a new test device to an existing build, you can use this command to update the provisioning profile to include the device without rebuilding the entire app from scratch.
运行该命令会要求你选择一个要重新签名的构建。例如,在一个示例项目中运行该命令会显示一个可用的构建:
🌐 Running the command will ask you to select a build that you want to re-sign. For example, running the command in an example project shows an available build:
选择构建后,按照步骤登录到你的 Apple 开发者账户。当出现 显示设备并再次询问我 提示时,你可以选择新的描述文件。
🌐 After selecting the build, follow the steps to log in to your Apple Developer account. When prompted Show devices and ask me again, you can select a new provisioning profile.
选择一个新的设备,命令将再次运行 EAS 构建。请注意,这次触发的构建会重用所选构建的应用工件,并使用新的配置描述文件进行代码签名。此过程完成后,你可以使用这个新的构建链接在添加到配置描述文件的 iOS 设备上安装 .ipa 文件。
🌐 Select a new device, and the command will run the EAS Build again. Note that the build triggered this time reuses the application artifact from the selected build and codesigns it with the new provisioning profile. Once this process is complete, you can use this new build link to install the .ipa on the iOS device added to the provisioning profile.