Disclaimer: Some content in this article outlines how to use functionalities that will be publicly released to all clients in April 2025. If you see differences between this article and your platform, check back at that time. Learn more about the release cycle.
Introduction
This article covers how to set up Direct updates for your branded mobile app, allowing you to send new versions to the app stores directly from the Branded mobile publisher page. This eliminates the need to manually re-sign and upload each new build.
When direct updates are configured, every new build you generate is automatically re-signed and submitted to the corresponding app store.
Note that you need to configure this separately for the iOS and Android versions of your mobile app.
Prerequisites
You need to already have configured a branded mobile app as described in the article Branded mobile app publisher. In particular you should have completed the steps set out in the chapters Prerequisites and Create a new branded app of that article, including all the principal configurations in the Properties and iOS or Android tabs.
If you have an Android app, you will also need to manually re-sign and upload the initial release of the app. This means that, before you enable Direct updates, you must generate a build and download the package, then re-sign and submit it to the store as described in the article Manually re-sign and publish the mobile app. This needs to be done only the first time, whereas for subsequent app versions the process can be handled by Direct updates.
You do not need to do the manual process for iOS apps, because in this case Direct updates works for both the initial release and subsequent versions.
Set up direct updates for iOS branded app
For iOS, you can use Direct updates to submit your initial app release, as well as its subsequent updates.
To begin, select Admin menu > THEME SETTINGS > Branded mobile publisher, and in the app list click the <name> of your branded mobile app to open its configuration page. Then select the iOS tab.
In the iOS tab, navigate to the Direct updates section and select the Enable re-sign and upload check box. This will reveal the fields that you need to configure.
When you have finished filling in the fields as instructed below, click Save changes.
| iOS field for Direct updates | Notes |
Bundle ID: Unique identifier of the iOS app. Example: com.yourcompany.yourappname. |
This can be found in App Store Connect, under the App information section. |
|
Issuer ID: Identifier for API key generation. Key ID: Identifier of the App Store Connect API key. Private key (.p8) file: Contains the private key associated with the Key ID. Can only be downloaded at the time of key creation in App Store Connect. File name format: |
These values are all found in App Store Connect under Users and Access > Integrations For more detailed instructions see the chapter Create an App Store Connect API key |
Distribution certificate (.p12) file without password: Used to sign the iOS app for distribution. Generate and download .cer certificate from the Apple Developer Portal, then export as .p12 without password from Keychain Access on your Mac. |
For more detailed instructions see the chapter Create an iOS distribution certificate |
| Provisioning profile (.mobileprovision) file: Provisioning profile for App Store distribution, associated with the App ID and Distribution certificate. Downloaded from Apple Developer Portal. | For more detailed instructions see the chapter Create a provisioning profile |
Create an App Store Connect API key
This is required for App Store Connect API access to automate processes like uploading builds or managing app metadata.
- Log in to App Store Connect: https://appstoreconnect.apple.com (opens in a new tab)
-
Go to "Users and Access":
- Click on the Users and Access tab in the top menu.
- Navigate to the Keys tab under Users and Access.
-
Create a New Key:
- Click the "+" button to create a new API key.
- Give your key a name and select the appropriate access level (App Manager is usually sufficient for app-related tasks).
- Click Generate.
Important: Once the key is created, you’ll see:
-
Key ID: A unique identifier (e.g.,
2X9F8A3Y6Z) - Issuer ID: Found in the same tab.
- Private Key (.p8): Download this immediately! You won’t be able to download it again.
Create an iOS distribution certificate
The distribution certificate is used to sign your app for App Store distribution. It proves that the app comes from an identified developer and allows it to be installed on devices.
How to create and export the .p12 file:
-
Create a Distribution Certificate:
- Go to Apple Developer Portal (opens in a new tab).
- Under Certificates, Identifiers & Profiles, select Certificates.
- Click the "+" button and choose iOS Distribution.
- Follow the instructions to create a Certificate Signing Request (CSR) on your Mac using Keychain Access:
- Open Keychain Access → Go to Keychain Access > Certificate Assistant > Request a Certificate from a Certificate Authority.
- Enter your email and name, select Saved to Disk, and click Continue.
- Upload the generated .csr file in the Developer Portal.
- Download the generated .cer file and import it in the keychain (double click on the file).
-
Export as a .p12 file (without a password):
- Open Keychain Access on your Mac.
- Find the newly installed iOS Distribution certificate under My Certificates.
- Right-click the certificate and select Export.
- Choose the format as .p12 and do not set a password during export
Create a provisioning profile
The provisioning profile ensures that your app is associated with the correct App ID, Distribution Certificate, and device entitlements.
How to create and download a provisioning profile:
- Go to the Apple Developer Portal: https://developer.apple.com/account/ (opens in a new tab)
-
Create a new Provisioning Profile:
- Under Certificates, Identifiers & Profiles, select Profiles.
- Click the "+" button and choose App Store for Distribution.
- Select your App ID from the list. You need to create it if it’s not available, and it should be the bundle ID you’ll use later.
- Choose the iOS Distribution Certificate you created earlier.
- Give the profile a name (e.g.,
MyApp_StoreProfile). - Download the
.mobileprovisionfile.
Set up direct updates for Android branded app
→ For Android, Direct updates only works for updates to an existing app. You will need to manually re-sign and upload your initial app package to the store. Remember to keep the keystore and password that you use to do this, as you will need to use the same ones when you configure Direct updates.
To begin, select Admin menu > THEME SETTINGS > Branded mobile publisher, and in the app list click the <name> of your branded mobile app to open its configuration page. Then select the Android tab.
In the Android tab, navigate to the Direct updates section and select the Enable re-sign and upload check box. This will reveal the fields that you need to configure.
When you have finished filling in the fields as instructed below, click Save changes.
| Android field for Direct updates | Notes |
| Service account key (.json) file: Used to authenticate to Google Cloud services. In Google Cloud Console, create a JSON key file for your project's service account credentials. Can only be downloaded at the time of key creation. | For more detailed instructions see the chapter Create a service account key (.json) file and the chapter Grant app permissions to the service account user |
App release track: Used to manage your app's rollout. Examples: production, beta, qa. |
For more detailed information see the chapter App release track |
|
Keystore (.jks) file: Stores the cryptographic keys used to sign the app for distribution on Google Play Store. Can be created with Android Studio Key alias: Identifier for the specific key within the keystore that will be used to sign the app. If you edit this field you must re-enter the keystore password and key password. Keystore password: Password that secures the keystore file Key password: Password specifically for the key associated with the alias |
For more detailed instructions see the chapter Create a keystore and key |
Create a service account key (.json) file
The Service Account Key is used to authenticate with Google Cloud services, including the Google Play Developer API (for automating tasks like publishing builds or retrieving release details).
Steps to Create and Download the Service Account Key:
- Go to Google Cloud Console: https://console.cloud.google.com (opens in a new tab)
-
Select or Create a New Project:
- Click the Project Selector in the top bar and either select an existing project or create a new one for your app (billing is not required). For instructions see Create a Google Cloud Project (opens in a new tab).
-
Enable the Google Play Developer API:
- In the left-hand menu, navigate to APIs & Services > Library and search for Google Play Android Developer API. Or go to https://console.developers.google.com/apis/api/androidpublisher.googleapis.com/?hl=en (opens in a new tab)
- On the page for the Google Play Android Developer API, click Enable.
-
Create a Service Account:
- On the Google Cloud Console, navigate to IAM & Admin > Service accounts (opens in a new tab), select your project if necessary, and click Create service account).
- Enter a name (e.g., MyApp Service Account), leave the optional steps empty, and click Create.
- Keep a copy of the email address of the service account for later use. (see chapter Grant app permissions to the service account user)
- On the Google Cloud Console, navigate to IAM & Admin > Service accounts (opens in a new tab), select your project if necessary, and click Create service account).
-
Generate the Key:
- Click on the Actions vertical three-dot icon and select Manage keys
- Then click ADD KEY > Create New Key, select the JSON format and click Create.
- Click on the Actions vertical three-dot icon and select Manage keys
6. Download the .json File:
- The file will download automatically when you create the key.
- Store this securely—you won’t be able to download it again later.
Grant app permissions to the service account user
After creating the service account and downloading its service account key, as in the preceding chapter, you also need to grant permissions on your app to the service account user.
To do this:
- Open the Google Play Console (opens in a new tab) and under Users and Permissions, select Invite new users
- Under Invite user, In the e-mail address field, enter the address previously copied for the service account user, and under App permissions click Add app and select the app you want to automatically publish.
- Apply Admin all permissions and click Invite user.
Note: It may happen that the user was already automatically invited. In this case, click Manage and apply the Admin permissions.
Create a keystore and key
A Keystore is a file that stores the cryptographic keys used to sign your Android app. Every app must be signed with a keystore before it can be published on the Play Store.
You can create a keystore using Android Studio. The steps to follow are summarized below. For more detailed instructions, refer to the Google documentation: https://developer.android.com/studio/publish/app-signing#sign-apk (opens in a new tab)
- Go to your project in Android Studio.
- Click Build > Generate Signed Bundle / APK from the top menu.
- Select Android App Bundle (recommended for the Play Store) or APK and click Next.
- In the Key Store section click Create New and fill in the following details:
-
Key Store path: Choose where to save your keystore file, also specifying a file name with .jks extension (e.g.,
my-release-key.jks). - Keystore Password: Create a password to secure the keystore.
-
Key Alias: Enter a name for the key (e.g.,
my-key-alias). - Key Password: Create a password for the key (owing to a known issue, it is recommended to set the same password as the keystore password).
- Validity: Set the validity period (usually 25+ years)
-
Key Store path: Choose where to save your keystore file, also specifying a file name with .jks extension (e.g.,
- Fill in the rest of the required information and click OK to generate the keystore file in the specified location.
Important: Make a note of the Keystore Password, Key Alias and Key Password that you set during this process. You will need them to sign app updates. These values, along with the downloaded keystore file, also need to be entered into the branded mobile publisher configuration for automatic updates.
App release track
This is the name of the track where you want to publish. For more information see the Play Console help guide on app release tracks (opens in a new tab). By default, you have three available: production, beta and qa. These map to Production, Open Testing and Internal Testing.
You can, however, also create your own release track and then use its name in branded publisher.
Generate a build with direct updates
Once you have configured Direct updates as described above, the next time you click Generate builds you will see a message box that informs you about the automatic re-sign and upload.
If you have configured direct updates for an Android app you will also see the warning indicating that automatic re-sign and upload does not work for the first publication of the app, but only for subsequent updates.
Click Generate and upload builds to continue.
On the branded publisher page you can check the progress of build generation in the usual way, in the Build status area:
When the process is complete, in this same area you will see an indication of the outcome. You will also receive an email with this same information:
Build generated and sent to the store [date and time] : The entire process was successful, and the app was re-signed and submitted to the store.
→ You can still use the Download build button to download a local copy of the build, if required. But note that the downloaded build is not re-signed.
Error while generating the build: The build could not be generated at all. This error does not depend on Direct updates. Check your branded publisher settings, or contact the Help Center. In this case there is no build available for download.
Error while re-signing the build: The build was successfully generated, but there was a problem during the re-signing operation.
Error while uploading the build to the store: The build was successfully generated and also successfully re-signed, but the upload to the app store failed.
Tip: If you receive an error while re-signing or while uploading, you can check the configuration in Direct updates and try again. Alternatively, since the build was still successfully generated, you can:
- Click Download build to download the build, then re-sign and upload it manually. Remember that the downloaded build always needs to be manually re-signed prior to upload to the store.
Note that, if you configured Direct updates for only one of the apps (iOS or Android), for the other one you will still need to download the build and apply the manual method as in the article Re-signing and publishing the branded mobile app.