3

When creating a client ID for Android in the Google Cloud Platform developer console, I get the following popup:

Duplicate fingerprint

The fingerprint you specified is already used by an Android OAuth2 client ID in this project or another project

As the popup states, I do have another project that has the same SHA-1 fingerprint. What I don't understand is why I can't use the same SHA-1 fingerprint (signing certificate) with multiple projects?

This has serious implications if you use the same debug or release signing certificates for multiple Android apps. This isn't a huge deal for debug certificates, since you can always create a new one, however if you've already used the same release certificate to sign multiple production Android apps, can you not create separate Google Cloud projects for each app?

Is this a bug, or can you really not use the same Android signing certificate for multiple Google Cloud projects?

Is it a best practice to always use a new release signing certificate for every Android app?

ashughes
  • 7,155
  • 9
  • 48
  • 54

2 Answers2

1

First why we need to have an unique cert and package name.. A while back we decide that you shouldn't need to specify clientID in the android app (for dev simplicity and mitigate certain issues e.g. someone can not claim/use your client id if they don't have the cert even if they can have the same package name). We can do a lookup the clientID based on the package name and cert hash. This requires the combination to be unique. Does that make sense? To be clear you can use the same cert along with a different package name of the app and many do.

Is it a best practice to always use a new release signing certificate for every Android app?

I think there are pros and cons. If you ever want to sell/change ownership an app (out of many you have), it would be easier with separate cert. Also you need to think about the compromise or loss of cert. Same cert does make release process easier and to claim that they are from the same entity.

nvnagr
  • 2,017
  • 1
  • 14
  • 11
  • Thanks for the clarification. Question regarding the first part of your answer: So you don't need to specify `clientIds` and `audiences` in the `@Api` endpoint annotation? – ashughes Mar 14 '16 at 17:21
  • If you are calling an Google play services API on android then you don't need to specify client id but some cases, audience is needed because there can be multiple of those and you get to choose. – nvnagr Mar 14 '16 at 18:01
  • Thanks. What about in the `@Api` annotation when using Google Cloud Endpoints? – ashughes Mar 15 '16 at 01:42
  • I'm not the expert for the cloud endpoints. If you are talking about how to setup server https://cloud.google.com/appengine/docs/java/endpoints/annotations you'll need to specify client ids that you want to accept the requests from. In the Android client code https://cloud.google.com/appengine/docs/java/endpoints/consume_android I think you'll need to specify the server client id and we'll put in the client id in the id token based on the app package name and signature. The good part of this is that on non rooted devices only your client app can get that id token. – nvnagr Mar 15 '16 at 19:13
-2

just create a new project with a different package name

Ashita Gaur
  • 1
  • 3