Provide OPK app signature API

Feature Description:

As a part of OW client 188, there will be a new app signature process.
Only apps that were deployed to the dev console will be signed automatically.

Our workflow is currently:

  1. Build the OPK in our CI system
  2. Download the OPK
  3. Upload the OPK to our test channel on the dev console
  4. Download the OPK from dev console
  5. Install the OPK

This creates an overhead of signing the OPK manually for each build
We are creating a new branch for each feature so it comes down to a lot of manual work

We need a secured end point that receives a built OPK and returns a signed OPK instead

impact for my app:

low-mid (we do have a workaround but it would ease our dev cycle)

What is your current pain point?

There’s a manual step in a mostly automatic flow (CI)

What do you have in mind to solve it?

Provide a secure API/endpoint to sign dev OPK builds

You should use the test channels and stop after step #3.

In the near future, you’ll be able to upload your opks to a test channel with an API key.


Just chiming in after our team hit this issue (also discussed on Slack).

Given that the root problem is the additional work this introduces to dev & test cycles, would it be possible to allow developer users bypass the check e.g. by accepting a prompt saying it’s an unverified build? Perhaps testers as well?

This doesn’t fit the same topic exactly, but from my experience most platforms that have a signed builds check also allow developers to bypass the check via checking a prompt (at least chrome plugins, android apps)

Hi Mythic,
After hearing devs feedback, we are currently aiming at providing a CLI that allows you to sign your opk without having to upload/download it.