[Release] Verify Play App Signing and certificate fingerprints

[jjoonleo]

Backlog ID: ISSUE-022
Source: plans/release_app_todos.md

Goal

Record the signing fingerprints needed by Google Play and auth providers.

Parallelization

Status: blocked

Prerequisites

• [Release] Configure release signing ownership and secrets #450 - Release signing ownership/setup must be known.
• Play App Signing setup - Certificate fingerprints depend on Play/upload key decisions.
• [Release] Configure release Firebase/Google services file #451 - Firebase/auth provider config must receive the resulting fingerprints.

Acceptance criteria

• Play App Signing/upload key setup is completed or confirmed.
• SHA-1 and SHA-256 fingerprints are recorded.
• Firebase console has required release fingerprints.
• Google Sign-In and other provider console settings are verified against release package/fingerprints.

Codex thread guidance

• Work only on this issue's scope.
• Do not modify unrelated release issues.
• If this issue is blocked by external access or human approval, prepare the needed checklist/text and leave the issue open.
• Do not implement final closure until the prerequisites above are complete; prepare only unblocker notes if started early.

[jjoonleo]

Status note for #454:

• Repo-side artifact added in draft PR docs: add Play signing fingerprint checklist #490: docs: add Play signing fingerprint checklist #490
• Commit: 96c90f6
• Status: advanced, still externally blocked.

What changed:

• Added docs/Android-Play-Signing-Fingerprints.md with a Play App Signing, Firebase, provider-console, and evidence checklist.
• Added plans/issue-454-play-signing-fingerprints.md documenting the blocked status and repo-side scope.
• Linked the checklist from Android release configuration, signing setup, and docs index.

Verification run:

• git diff --check
• rg -n "Android Play Signing Fingerprints|Play app signing|SHA-256|#454|Test and release|References" docs plans

Remaining human tasks:

• Confirm Play App Signing is active or complete the first-upload setup path in Play Console.
• Record Play app signing and upload key SHA-1/SHA-256 fingerprints.
• Add required release fingerprints in Firebase for Android package club.devkor.ontime.
• Verify Google Sign-In, Kakao, and any backend allowlists against the final release package/fingerprint values.
• Rotate ANDROID_GOOGLE_SERVICES_JSON_B64 only if Firebase produces an updated release google-services.json.