Use SHA256 digests when signing AAB files

[atanas-bitrise]

Checklist

• I've read and followed the Contribution Guidelines
• step.yml and README.md is updated with the changes (if needed)

Version

Requires a MAJOR/MINOR/PATCH version update

Context

Changes

Investigation details

Decisions

[lpusok]

SHA 256 requires API level 18: https://stackoverflow.com/a/42490932. That is now pretty old, Google Play Services requires API level 19 (https://developers.google.com/android/guides/setup). So adopting SHA256 should not be an issue.

[ofalvai]

The good news is that we only use jarsigner (with the SHA1 digest) for signing AAB files. APK files are signed with apksigner, the more modern tool that selects the most appropriate signature scheme based on the app’s min SDK version. So there is no risk of shipping an APK to end users with a weak signature or digest algorithm. AAB files are consumed by Google Play only, the service then creates multiple signed APKs from the AAB.

I also think it’s safe to change the digest algorithm to SHA256, although I couldn’t find any official information about what signature format Google Play expects when uploading the AAB archive.

So I took the E2E tests in our Google Play Deploy step and modified them to use this PR when signing the AAB and APK files: bitrise-steplib/steps-google-play-deploy#145

All the E2E tests passed for 2 out of 3 stacks, and the failure on that one stack was a race condition between the tests (it's a known issue). I think it's safe to change the digest algorithm to SHA256 👍