We're working on an app which needs to integrate with a specific hardware component.
Now, after an update on the side of the hardware vendor, they tell us we need to sign our APK with their .keystore (which they've provided, including a password) in order to work with their hardware.
I can confirm this approach works in debug mode, the APK is signed and we have access to the hardware. However this doesn't work with Google Play signing, because Google expects the APK to be signed with our uploading certificate (and signs the APK with the key stored on their systems afterwards).
This strikes me as a very strange approach, shouldn't the .keystore and password be kept private? And are we opening ourselves up to a massive security risk if we sign the app with their keys?
Any advice is much appreciated, thank you!
It is very unusual and a potential security risk to use the signing key and password which is provided by a third party.
But: Apps that are signed with the same key as the OS on an android device can get special permissions. This might be necessary to use hardware features and system APIs on an android device which are usually not available to normal apps through Android.
Besides that, when you setup Google Play app signing, you can provide your own signing key and password. This would allow you to use the key from your hardware partner in production Play Store apps.