The final solution in this post was amazing and saved me tons of work and helped me to better understand the API:
https://stackoverflow.com/a/72511785/12622090
When I run my app on a real device using WiFi pairing from Android studio, everything works flawlessly. However, in Production, the API call consistently fails with the following error message:
Integrity API error (-12): Unknown internal Google server error. Retry with an exponential backoff. Consider filing a bug if fails consistently. (https://developer.android.com/google/play/integrity/reference/com/google/android/play/core/integrity/model/IntegrityErrorCode.html#GOOGLE_SERVER_UNAVAILABLE).
My gut tells me that the problem must have something to do with obfuscation, Google App Signing, or some undocumented need for another set of "credentials" in the Google Console for the Production deployment.
Has anyone run up against this and found a solution?
UPDATE:
I've determined that the issue is related to ProGuard obfuscation, but it's not clear why. If I set minifyEnabled true in my Gradle for DEBUG, I can reproduce the exception. If I turn off minify in a Production upload, the issue goes away. What doesn't make sense is the exception is permissions/account related.
The underlying exception is:
Error getting access token for service account: 400 Bad Request
POST https://oauth2.googleapis.com/token
{"error":"invalid_grant","error_description":"Invalid grant: account not found"}, iss: account-email-from-json-file-iam.gserviceaccount.com
class: com.google.auth.oauth2.OAuth2Credentials$1.call [OAuth2Credentials.java line: 257]
class: com.google.auth.oauth2.OAuth2Credentials$1.call [OAuth2Credentials.java line: 254]
class: java.util.concurrent.FutureTask.run [FutureTask.java line: 264]
class: com.google.common.util.concurrent.DirectExecutor.execute [DirectExecutor.java line: 31]
class: com.google.auth.oauth2.OAuth2Credentials$AsyncRefreshResult.executeIfNew [OAuth2Credentials.java line: 580]
class: com.google.auth.oauth2.OAuth2Credentials.asyncFetch [OAuth2Credentials.java line: 220]
class: com.google.auth.oauth2.OAuth2Credentials.getRequestMetadata [OAuth2Credentials.java line: 170]
class: com.google.auth.oauth2.ServiceAccountCredentials.getRequestMetadata [ServiceAccountCredentials.java line: 967]
class: com.google.auth.http.HttpCredentialsAdapter.initialize [HttpCredentialsAdapter.java line: 96]
class: com.google.api.client.http.HttpRequestFactory.buildRequest [HttpRequestFactory.java line: 91]
class: com.google.api.client.googleapis.services.AbstractGoogleClientRequest.buildHttpRequest [AbstractGoogleClientRequest.java line: 404]
class: com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed [AbstractGoogleClientRequest.java line: 514]
class: com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed [AbstractGoogleClientRequest.java line: 455]
class: com.google.api.client.googleapis.services.AbstractGoogleClientRequest.execute [AbstractGoogleClientRequest.java line: 565]
Any help would be appreciated. This is driving me nuts!
MY SOLUTION: I hope this works for someone else given the fact that I've benefited from others on stackoverflow many, many times!
I ended up adding the following to my proguard rules and the issue "appears" to have been resolved. I don't completely understand the solution because it still fails on the Google "review devices", but at least I'm able to move on after about 65 hours because it works on my test devices:
#adding for PlayIntegrity API that bombs with obfuscation
-keep class com.google.api.services.playintegrity.** { *; } #REQUIRED
-keep class com.google.api.client.** { *; } #REQUIRED
The next "class action suit" against Google needs to be for their pitiful documentation and their failure to be true "partners". They appear to be comfortable with deprecating things like SafetyNet and then publishing inadequate documentation for the replacement solutions while still taking their "cut of the revenue". In the meantime, we Indie developers spend 100s of (non-compensated) hours trying to get their nonsense to work. Google documentation is a joke; were it not for stackoverflow, much of what they provide would not be usable.
With respect to the PlayIntegrity API, it wouldn't be as necessary/critical if it wasn't so simple to reverse-engineer a Google/Java application. That being the case, Google, as a partner, should be more vested in helping us to protect our IP while they skim/share from our profits!
Kudos to @pvalle for his/her original solution.
