testing an unsigned apk that eventually will be signed with a system signature

Question

I'm developing a non google play application, that will be delivered as an unsigned release assembly apk to device manufacturers that will sign it with their own private system key signature.

the system signature is essential, because the app uses permissions with protection level signatureOrSystem . since the app not going to be installed as a system privileged app, it must be signed with the system's signature.

since I'm not going to have access to the final signed apk (or the signing key itself) I don't know how can I test the product I'm delivering (on a real device and not emulator) since it functionality depends on been signed with a system signature.

so far, only reference I found is a very old thread discussing about how to sign with system signature, but as I understand - it will not work anymore.

I would like to understand what is the recommended work-flow for how to test my app behavior as it signed with a system signature on a real device.

Answer 1

With larger companies, the company manufacturing the device will provide a version of the OS for the app developer to flash to a device that has a different set of recognized signing keys for you to test with. This is how they would expect app developers to be able to test their apps as if they were running on a full production device.

You might be able to get away with rooting a device and sideloading your APK in /system/app instead of the usual install location of /data/app. Once you have an app with a manifest with necessary system permissions installed there, reboot, and install normally (adb install to /data/app) and then you will be able to use the system permissions define in the app in /system/app.