Ionic Package is not signing my Android debug builds

Greetings…

I’m running into the all too common “Blocked by Play Protect” issue when I try install an APK directly on each of my local Android testing devices. I’ve been trying to fix this issue for over a week now and I’m still having no luck here.

Note: Just in case this is relevant, please note that I am building an Ionic 3 app, which requires cordova-cli@8.1.0. So I have implemented the cordovaOverride.sh steps described the Appflow docs FAQ section.

One interesting and perplexing point with the cordova build android command though:

  • local build with no keystore file specified: install succeeds.
  • local build with specifying a keystore file: install succeeds.
  • Ionic Package build: install fails.

Checking each of these three APK files with jarsigner -verify -certs -verbose, I see the following key points:

  • local build with no keystore file specified: includes the internal default values for C, O and CN.
  • local build with specifying a keystore file: includes the relevant values for CN, OU, O, L, ST and C as set for the relevant certificate in my keystore.
  • Ionic Package build: includes the internal default values for C, O and CN.

Looking at the Ionic Package build log pages, my iOS development builds show the “development” Security Profile in the right side bar (as I expect) but my Android development builds do not, despite having uploaded my Android keystore file to my “development” Security Profile and setting the correct alias and password values.


If I download the Ionic Package binary and sign it using the apksigner.cmd tool from the build-tools included in my Android SDK folder, using the exact same alias and password as I specified in my configuration for the security profile for my app, then it installs without any issue on my local device.

So my biggest question right now is: why does Ionic Package not sign my debug APK using the details I’ve told it to use?

Note: I only have a “Starter” Appflow subscription, so I cannot use the CLI to request a build with a specific Security Profile, I have to do this through the web UI.

I’ve just configured a “Release” profile and then while creating my first release builds, I just noticed something: When creating an Android build, I don’t even have the opportunity to select a security profile for a “debug build”…

Surely this is an oversight in the build process in Ionic Package…? Why don’t we have the option to sign debug builds?

…and now, just to make things even more interesting, the ipa file generated using my “Release” security profile doesn’t appear to be signed with the certificate I added to my Ionic Appflow profile.

The .p12 file, .provisionprofile file and certificate password I supplied were all accepted. Tried creating a new one using the .cer file instead just in case, but it seems Appflow does actually need the .p12 file for that.

Please will somebody help me figure out what’s going on here??