[BUG]: AndroidSigning@3 succeeds in a pipeline, but Google Play console says AAB signed in debug mode

[svetvasilev]

New issue checklist

• I searched for existing GitHub issues
• I read pipeline troubleshooting guide
• I checked how to collect logs

Task name

AndroidSigning@3

Task version

3.246.3

Issue Description

My yaml pipeline has the following definition for prepping the agent host (ubuntu latest) and signing the package after building a MAUI Android app:

- task: Bash@3
  displayName: Install MAUI
  inputs:
    targetType: 'inline'
    script: |
      dotnet nuget locals all --clear 
      dotnet workload install maui-android 
      $ANDROID_SDK_ROOT/cmdline-tools/latest/bin/sdkmanager "platform-tools"

- task: CmdLine@2
  displayName: 'Build Android App'
  inputs:
    script: 'dotnet publish -f net8.0-android -c Release my.app.csproj'
    workingDirectory: './src/Mobile/'

 - task: AndroidSigning@3
    displayName: 'Signing and aligning APK file(s) **/*.apk'
    inputs:
      apkFiles: '**/*.apk'
      apksign: true
      apksignerKeystoreFile: '$(keystoreFilename)'
      apksignerKeystorePassword: $(KeyStoreSecret)
      apksignerKeystoreAlias: $(KeyStoreAlias)
      apksignerKeyPassword: $(KeyStoreSecret)

It runs successfully, but when I upload the my.app-signed.aab file to Google Console (for first time release setup), i get the error message 'You have uploaded a package signed in debug mode'. As you can see from the second task the build config is in release.
I have verified that the package is actually signed with the intended certificate from the key store by running:

apksigner verify --print-certs --verbose c:\path\to\app\my.app-Signed.apk-Signed.apk
Verifies
Verified using v1 scheme (JAR signing): false
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): true
Verified using v3.1 scheme (APK Signature Scheme v3.1): false
Verified using v4 scheme (APK Signature Scheme v4): false
Verified for SourceStamp: false
Number of signers: 1
Signer #1 certificate DN: CN=***, OU=****, O=*****, L=****, ST=****, C=**
Signer #1 certificate SHA-256 digest: **********************
Signer #1 certificate SHA-1 digest: ***************************
Signer #1 certificate MD5 digest: *****************************
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048
Signer #1 public key SHA-256 digest: ***************************************************
Signer #1 public key SHA-1 digest: ***********************
Signer #1 public key MD5 digest: ************************

I have also verified if the apk manifest says something about debugability lik this:
apkanalyzer manifest debuggable c:\path\to\app\my.app-Signed.apk

And the output is false

Environment type (Please select at least one enviroment where you face this issue)

• Self-Hosted
• Microsoft Hosted
• VMSS Pool
• Container

Azure DevOps Server type

dev.azure.com (formerly visualstudio.com)

Azure DevOps Server Version (if applicable)

No response

Operation system

Ubuntu latest

Relevant log output

2025-02-04T15:07:25.2533690Z ##[section]Starting: Signing and aligning APK file(s) **/*.apk
2025-02-04T15:07:25.2549440Z ==============================================================================
2025-02-04T15:07:25.2549599Z Task         : Android signing
2025-02-04T15:07:25.2549697Z Description  : Sign and align Android APK files
2025-02-04T15:07:25.2549792Z Version      : 3.246.3
2025-02-04T15:07:25.2549865Z Author       : Microsoft Corporation
2025-02-04T15:07:25.2549972Z Help         : https://docs.microsoft.com/azure/devops/pipelines/tasks/build/android-signing
2025-02-04T15:07:25.2550092Z ==============================================================================
2025-02-04T15:07:26.7522922Z [command]/usr/local/lib/android/sdk/build-tools/35.0.1/zipalign -v 4 /home/vsts/work/1/s/src/Mobile/bin/Release/net8.0-android/my.app-Signed.apk.unaligned /home/vsts/work/1/s/src/Mobile/bin/Release/net8.0-android/my.app-Signed.apk
2025-02-04T15:07:26.9654215Z Verifying alignment of /home/vsts/work/1/s/src/Mobile/bin/Release/net8.0-android/my.app-Signed.apk (4)...
******
TRUNCATED
******
2025-02-04T15:07:27.0569505Z Verification succesful
2025-02-04T15:07:27.0569581Z 
2025-02-04T15:07:27.0570472Z [command]/usr/local/lib/android/sdk/build-tools/35.0.1/apksigner sign --ks /home/vsts/work/_temp/myapp.keystore --ks-pass pass:*** --ks-key-alias myappkey --key-pass pass:*** --verbose /home/vsts/work/1/s/src/Mobile/bin/Release/net8.0-android/my.app-Signed.apk
2025-02-04T15:07:30.2933622Z Signed
2025-02-04T15:07:30.3045195Z 
2025-02-04T15:07:30.3316982Z [command]/usr/local/lib/android/sdk/build-tools/35.0.1/zipalign -v 4 /home/vsts/work/1/s/src/Mobile/bin/Release/net8.0-android/publish/my.app-Signed.apk.unaligned /home/vsts/work/1/s/src/Mobile/bin/Release/net8.0-android/publish/my.app-Signed.apk
2025-02-04T15:07:30.4352871Z Verifying alignment of /home/vsts/work/1/s/src/Mobile/bin/Release/net8.0-android/publish/my.app-Signed.apk (4)...
******
TRUNCATED
******
2025-02-04T15:07:30.5168799Z Verification succesful
2025-02-04T15:07:30.5168873Z 
2025-02-04T15:07:30.5169823Z [command]/usr/local/lib/android/sdk/build-tools/35.0.1/apksigner sign --ks /home/vsts/work/_temp/myapp.keystore --ks-pass pass:*** --ks-key-alias myappkey --key-pass pass:*** --verbose /home/vsts/work/1/s/src/Mobile/bin/Release/net8.0-android/publish/my.app-Signed.apk
2025-02-04T15:07:33.3669397Z Signed
2025-02-04T15:07:33.3776955Z 
2025-02-04T15:07:33.3880926Z ##[section]Finishing: Signing and aligning APK file(s) **/*.apk

Full task logs with system.debug enabled

 [REPLACE THIS WITH YOUR INFORMATION] 

Repro steps

[v-schhabra]

@tarunramsinghani Could you or your team please check this issue?

[tarunramsinghani]

Hi @svetvasilev , Signing for apk is controlled via build setting, can you please check if you have configured your app to be signed using release config as mentioned in official docs

[svetvasilev]

Hi @tarunramsinghani, i am uncertain i completely understand your response. You are pointing me to the official documentation for Google Play and how to sign an app bundle (.aab) with upload key so that it can be uploaded to the Play store.
However you refer to signing of the APK fia build setting. Could you pls elaborate more on this?
Fyi i have currently resolved this by doing the signing as part of the app build step, which does dotnet publish with parameters for the keystore, key alias and passwords for these. The question then is whether the AndroidSigning task is needed at all?
Perhaps i have to do a dotnet build in the app build step, and then use the AndroidSigning task to sign the APK and AAB files?

[tarunramsinghani]

The "AndroidSigning" Task is just the wrapper around the apksigner tool. The signing is controlled via the parameters provided that are passed on the tool. And whether it is debug signed, or release signed are controlled by inputs to tool which is pass through in case of the task. My ask was to validate all the parameters and certificates you used to make sure that it will produce the required output with apksigner tool.