应用凭据

了解 Android 和 iOS 需要什么应用凭据。

Expo 会自动执行 Android 和 iOS 应用的签名过程，但在这两种情况下，你都可以选择提供覆盖。EAS 构建可以生成签名或未签名的应用，但要通过商店分发你的应用，它必须是签名的应用。

¥Expo automates the process of signing your app for Android and iOS, but in both cases, you can choose to provide your overrides. EAS Build can generate signed or unsigned applications, but to distribute your application through the stores, it must be a signed application.

在此页面上，你将了解每个平台所需的凭据。如果你对我们如何存储你的凭据感到好奇，请查看我们的安全文档。

¥On this page, you'll learn about the credentials that each platform requires. If you're curious about how we store your credentials on our end, take a look at our security documentation.

安卓

¥Android

Google 要求所有 Android 应用在安装到设备上或更新之前都必须使用证书进行数字签名。通常，私钥及其公共证书存储在密钥库中。过去，上传到商店的 APK 需要使用应用签名证书（将附加到 Play 商店中的应用的证书）进行签名，如果密钥库丢失，则无法恢复或重置它。现在，你可以选择加入 Google Play 的应用签名，只需上传使用上传证书签名的 APK，Google Play 就会自动将其替换为应用签名证书。旧方法（应用签名证书）和新方法（上传证书）本质上是相同的机制，但使用新方法时，如果你的上传密钥库丢失或被泄露，你可以联系 Google Play 支持团队重置密钥。

¥Google requires all Android apps to be digitally signed with a certificate before they are installed on a device or updated. Usually, a private key and its public certificate are stored in a keystore. In the past, APKs uploaded to the store were required to be signed with the app signing certificate (a certificate that will be attached to the app in the Play Store), and if the keystore was lost there was no way to recover or reset it. Now, you can opt-in to App Signing by Google Play and simply upload an APK signed with an upload certificate, and Google Play will automatically replace it with the app signing certificate. Both the old method (app signing certificate) and new method (upload certificate) are essentially the same mechanisms, but using the new method, if your upload keystore is lost or compromised, you can contact the Google Play support team to reset the key.

从 Expo 构建过程的角度来看，使用上传证书或应用签名密钥对应用进行签名没有区别。无论哪种方式，eas build 都会生成一个使用当前与你的应用关联的密钥库签名的 .apk 或 .aab。如果你想手动生成上传密钥库，可以按照创建原始密钥库的方式进行操作。

¥From the Expo build process's perspective, there is no difference between whether an app is signed with an upload certificate or an app signing key. Either way, eas build will generate an .apk or .aab signed with the keystore currently associated with your application. If you want to generate an upload keystore manually, you can do that the same way you created your original keystore.

请参阅 Android 的文档以查找有关此过程的更多信息。

¥See Android's documentation to find more information about this process.

Google Play 的应用签名

¥App signing by Google Play

当你将你的第一个版本上传到 Google Play 时，你将看到有关 "Google Play 的应用签名" 和 "Google 正在保护你的应用签名密钥" 的通知。这是默认行为，除了按 "继续" 之外，你不需要执行任何操作。

¥When you upload your first release to Google Play you will see a notice about "App signing by Google Play" and "Google is protecting your app signing key". This is the default behavior and requires no action on your behalf except to press "Continue".

如果你当前管理你的应用签名密钥并希望 Google 为你管理，请参阅使用 Google Play 的应用签名。

¥If you currently manage your app signing key and want Google to manage it for you, see Use app signing by Google Play.

Lost your keystore? Learn how to reset your upload key on Google Play

To sync your Expo keystore with Google, follow these steps:

Download credentials

In a terminal window:

Run eas credentials command.
Select Android for the platform and the profile whose credentials you wish to download.
Select the option credentials.json: Upload/Download credentials between EAS servers and your local json.
Select Download credentials from EAS to credentials.json.

Your application's keystore should be kept private. Under no circumstances should you check it into your repository. Debug keystores are the only exception because we don't use them for uploading apps to the Google Play Store.

Export keystore to `pem` format

Once you have downloaded your credentials and the keystore, export it to the pem format so that you can submit it to Google:

Find the key alias in your credentials.json file under the keyAlias key.
Use keytool to export the certificate:

Terminal

- keytool -export -rfc -alias alias_from_step_1 -file certificate_for_google.pem -keystore ./path/to/keystore.jks

Contact Google support

Contact Google Support and request them to change your key using this support form. While filling out the form, attach the pem file exported from the keystore.

Once Google updates this on your account, builds created through eas build will be correctly signed as expected by the Google Play Store. Note that Google will set the validity start date of the new upload certificate to 72 hours in the future so you'll have to wait before your first submission after performing this process.

iOS

The 3 primary iOS credentials, all of which are associated with your Apple Developer account, are:

Distribution Certificate
Provisioning Profiles
Push Notification Keys

Whether you let EAS handle all your credentials, or you handle them yourself, it can be valuable to understand what each of these credentials means, when and where they're used, and what happens when they expire or are revoked. You can inspect and manage all your credentials with EAS CLI by running eas credentials.

Distribution certificate

The distribution certificate is all about you, the developer, and not about any particular app. You may only have one distribution certificate associated with your Apple Developer account. This certificate will be used for all of your apps. If this certificate expires, your apps in production will not be affected. However, you will need to generate a new certificate if you want to upload new apps to the App Store or update any of your existing apps. Deleting a distribution certificate has no effect on any apps already on the App Store. You can clear the distribution certificate Expo currently has stored for your app the next time you build by running eas credentials and following the prompts.

Push Notification keys

Apple Push Notification Keys (often abbreviated as APN keys) allow the associated apps to send and receive push notifications.

You can have a maximum of 2 APN keys associated with your Apple Developer account, and a single key can be used with any number of apps. If you revoke an APN key, all apps that rely on that key will no longer be able to send or receive push notifications until you upload a new key to replace it. Uploading a new APN key will not change your users' Expo Push Tokens. Push notification keys do not expire. You can clear the APN key Expo currently has stored for your app by running eas credentials and following the prompts.

APN keys created by Expo can be downloaded on the Expo website.

Provisioning profiles

Each profile is app-specific, meaning you will have a provisioning profile for every app you submit to the App Store. These provisioning profiles are associated with your distribution certificate, so if that is revoked or expired, you'll need to regenerate the app's provisioning profile, as well. Similar to the distribution certificate, revoking your app's provisioning profile will not have any effect on apps already on the App Store.

Provisioning profiles expire after 12 months, but this won't affect apps in production. You will just need to create a new one the next time you build your app by running eas build -p ios, or manually with eas credentials.

Summary

Credential	Limit Per Account	Used at
Distribution Certificate	2	Build time
Push Notification Key	2	Run time
Provisioning Profile	Unlimited	Build time

Clearing credentials

When you use the eas credentials command to delete your credentials, this only removes those credentials from Expo's servers. It does not delete the credentials from Apple's perspective. This means that to fully delete your credentials (for example, if you want a new push notification key, however, you already have two), you'll need to do so from the Apple Developer Console.

Re-signing new credentials

You can use eas build:resign to codesign an existing .ipa for iOS to a new ad hoc provisioning profile. This helps reduce time when distributing internally — for example, if you want to add a new test device to an existing build, you can use this command to update the provisioning profile to include the device without rebuilding the entire app from scratch.

Running the command will ask you to select a build that you want to re-sign. For example, running the command in an example project shows an available build:

Running eas build:resign command shows a list of available builds in a project.

选择构建后，按照步骤登录你的 Apple 开发者账户。当出现提示“显示设备并再次询问我”时，你可以选择新的配置文件。

¥After selecting the build, follow the steps to log in to your Apple Developer account. When prompted Show devices and ask me again, you can select a new provisioning profile.

选择一个新设备，该命令将再次运行 EAS Build。请注意，这次触发的构建重用了所选构建中的应用工件，并使用新的配置文件对其进行了共同设计。此过程完成后，你可以使用此新的构建链接在添加到配置文件的 iOS 设备上安装 .ipa。

¥Select a new device, and the command will run the EAS Build again. Note that the build triggered this time reuses the application artifact from the selected build and codesigns it with the new provisioning profile. Once this process is complete, you can use this new build link to install the .ipa on the iOS device added to the provisioning profile.