While there were many related posts, I could not find an exact answer to my question.
I will create a separate Firebase project before we get the app to Production, but for now I'm trying to use a single Firebase project but separate google API keys for DEBUG and RELEASE.
For Android RELEASE builds, where does each SHA-1 fingerprint (signing vs upload) have to be entered?
I put both signing (from GooglePlay console) and upload (from keytool with RELEASE keystore) fingerprints in:
google-services.json in app buildI assume I need both because in the API key restrictions because I need the key to work regardless of whether the RELEASE build is uploaded directly to a test device or the build was downloaded from GooglePlay store.
I didn't think I needed the signing SHA-1 in google-services.json because I thought GooglePlay overwrites the SHA-1 with its own automatically, but other posts have mentioned needing the signing SHA-1 on Firebase settings as well, and adding it there updated the google-services.json file Firebase provides for download.
However, upon attempting anonymous login (with RELEASE build on a test device), the RELEASE build gives the error:
"Requests from this Android client application {package.name} are blocked."
Does the order I put the fingerprints in matter? Should I have only put in one? I previously only had the upload fingerprint, but it also didn't work.
Solution from related posts that I have tried to no avail:
Works but not ideal:
Apparently, adding the DEBUG certificate to the RELEASE API key restrictions (even though the google-services.json in RELEASE mode doesn't have it listed) is what works.
It seems deploying a RELEASE build to a device connected by USB inadvertently still uses the DEBUG certificate for signing.