HEADS UP: With the October monthly release on October 26, 2022, a security update on file uploads has been released. To avoid any disruptions with file uploads in your mobile app, please make sure you build the new version of your branded mobile app and distribute it via app stores or via your Mobile Device Management systems. Please note that the build needs to be based on version 4.9.1 or higher.
HEADS UP: For those publishing the app on the Apple App Store or via a Mobile Device Management (MDM) system, please note that in order to be able to re-sign and then publish your app, you need to download and execute the new version of the resign.sh script (ZIP, 3KB) script. This file is also attached to the Re-signing the .ipa chapter below in this article.
Introduction
In your learning platform, you can create a branded mobile app for your users’ on-the-go learning. In this way, your learners can do their training on a mobile app branded for your company.
More information on how to create and configure your branded app, generate the build and then download the package in order to publish your custom version of the Go.Learn mobile app on the app stores. Discover the technical requirements and the information needed to create your own branded app.
If you publish your app on iOS App Store, you are required to submit the Export Compliance and the Self-Classification Report for Encryption Items in order to be compliant with the U.S. Encryption and Export Administration Regulations (EAR) (opens in a new tab). Learn more on how to produce and present this report.
This article outlines how to re-sign and then publish your branded mobile app. Once you’ve created your branded app, in order to publish it on the application store (Google Play for Android and App Store for iOS) you have to replace the digital signature temporarily applied by Docebo with your own signature generated in-house (for Android) or with the signing certificate assigned by the App Store (for iOS).
If you don’t apply the new signature, the package can’t be uploaded on the application store. Refer to the following sections for more information about the re-signing process for Android and for iOS.
Please note that Branded Mobile App Publisher is a very technical functionality. We suggest contacting a member of your company’s IT department to perform the configuration properly.
Also note that Docebo is not responsible for the content of external documents written by other companies (i.e. Apple, etc.). Remember that it is your responsibility to check if these documents are updated or changed in any way.
Android Google Play Store
The re-signing process for the Android Google Play Store is composed of two steps. You must first create a keystore if you don’t have one yet. If you already published an Android app, you can use the same keystore. Then, you need to re-sign the Android Package (APK) or the Android App Bundle (AAB), according to the package format you chose when configuring the app technical details in the Settings section of the Android app tab.
Creating a Keystore
Begin by creating a keystore using the Java Keytool utility that comes with any standard JDK distribution and can be located at %JAVA_HOME%\bin. On Windows, this is usually C:\Program Files\Java\jre8\bin., while you don't need to care about the path on Mac OS.
On Windows, open a command prompt and switch to that directory. On a Mac, just open a terminal. Then, enter a command like this one:
keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000
The Keytool prompts you to provide passwords for the keystore, then you will be asked to provide the Distinguished Name fields:
| Field | Notes |
|
commonName |
Common name of a person, e.g., "Susan Jones" |
|
organizationUnit |
Small organization (e.g., department or division) name, e.g., "Purchasing" |
|
organizationName |
Large organization name, e.g., "ABC Systems, Inc." |
|
localityName |
City name, e.g., "Palo Alto" |
|
stateName |
State or province name, e.g., "California" |
|
country |
Two-letter country code, e.g., "CH" |
Finally, type the password for your key (if required). The keystore is now generated as a file called my-release-key.keystore saved in the directory in which you’re currently located. The keystore and the key are protected by the passwords that you entered. The keystore contains a single key, which is valid for 10,000 days (as given in the -validity parameter). The alias is the name that you will use later to refer to this keystore when signing your application.
Please note: Save the keystore and the password for later uses, because you’ll have to use them anytime you need to publish an update.
To learn more about Keytool, you can refer to this Oracle document (opens in a new tab). You can also find a detailed document about this topic on Stack Overflow (opens in a new tab).
Re-signing the .aab or the .apk
In order to reassign a signature to an AAB or to an APK, you have to delete the META-INF from your AAB or your APK and then sign it again. Remember that you shouldn't extract the files; you just need to remove the entry from the archive.
You can do it in many ways, but the fastest way is using the system shell. Let’s assume that you have a MyApp.aab file (or a MyApp.apk file) and a keystore called ‘my-release-key.keystore’, the alias is ‘alias_name‘, the keystore’s password is ’secret’ and the key’s password is ‘password123‘. If you don’t have a keystore, refer to the Creating a Keystore section above for further information on how to create it. Follow these steps to re-sign the .aab or the .apk file:
1. Remove the META-INF directory from the archive (both for Windows and Mac):
zip -d MyApp.aab META-INF/\* or zip -d MyApp.apk META-INF/\*
2. Realign the app in order to be compliant with the Play Store tech requirements. The purpose is to ensure that all uncompressed data starts with a particular alignment relative to the start of the file (please note: follow this step for .apk files only)
For Windows:
zipalign -f -v 4 MyApp.apk MyAppAligned.apk
For Mac:
/Users/{YOUR_USER_NAME}/Library/Android/sdk/build-tools/{SDK_VER}/zipalign -f -v 4 ./MyApp.apk MyAppAligned.apk
3. Sign it again:
For Windows:
- AAB
jarsigner -verbose -sigalg SHA256withRSA -digestalg SHA-256 -keystore ./my-release-key.keystore ./MyAppSigned.aab alias_name
- APK
apksigner sign -v --out ./MyAppSigned.apk --ks ./my-release-key.keystore --ks-key-alias alias_name ./MyAppAligned.apk
For Mac:
- AAB
jarsigner -verbose -sigalg SHA256withRSA -digestalg SHA-256 -keystore ./my-release-key.keystore ./MyAppSigned.aab alias_name
- APK
/Users/{YOUR_USER_NAME}/Library/Android/sdk/build-tools/{SDK_VER}/apksigner sign -v --out ./MyAppSigned.apk --ks ./my-release-key.keystore --ks-key-alias alias_name ./MyAppAligned.apk
There is no security risk from the shell history because the passwords for your keystore and key are asked on the console. You are now ready to upload this .aab to the Android Google Play Store or to distribute the .apk.
Publishing
- More information from Google Play Console Help about how to upload an app (opens in a new tab)
- When you update your app creating a new app version for the Android Google Play Store (but also when you create your app for the first time), you need to complete the form in Google Play Console on the types of data collected in your app. Guidelines on how to fill in the Data safety section on Google Play (PDF, 67KB). Note that the guidelines refer to the Go.Learn app configuration — please check each section, as your app may differ from Go.Learn (e.g. if you didn’t connect your app to Firebase, do not fill in the info on analytics; if you don’t have the Discover, Coach & Share module, fill in the module accordingly). If you don’t submit the form, you will see a warning message in the Messages Area of your Google Play Developer Console.
Apple App Store
Prerequisites
In order to perform the re-signing process for the Apple App Store, you need:
| Item to Prepare | Notes |
| Mac | A Mac is needed, because a Windows PC cannot be used to re-sign an .ipa package |
| XCode | Installed from the Mac App Store |
| Provisioning Profile | Downloaded from the Apple Developer Console |
| Distribution Certificate | Downloaded from the Apple Developer Console and installed into the keyChain |
| resign.sh script | This is the script that you will execute |
| .ipa file | Created by the Branded Mobile App Publisher service |
Re-signing the .ipa
In order to re-sign the iOS .ipa package, a series of tools that are only available on Mac OS X are necessary, therefore you can’t re-sign an iOS app using a Windows PC. An .ipa is a zip file. In order to modify it, you have to extract it, sign it again and re-compress it.
Follow these steps to re-sign the .ipa file:
1. Move MyApp.ipa to a folder of your choice
2. Create and download the new Provisioning profile embedded.mobileprovision from the Apple Developer Console and save it into the .ipa folder (see point above). Follow the steps provided in Apple KB article (opens in a new tab).
3. The running security find-identity will give you a list of identities, from which you can choose the one you want (you have to search for the one starting with "iPhone Distribution"):
security find-identity -v -p codesigning
The result will be like the following:
-
7D2A35B002F0577B66689713044BF66B4EEAC70F "iPhone Developer: Donald Duck (4J2CJZQ799)
-
C45CFD22CCC7BD2E84ED43D07719D709BC901322 "iPhone Distribution: A.C.M.E. (8YX56B3FLL)
4. Move the resign.sh script (ZIP, 3KB) to the same folder and execute it (execute the script without args to have more info):
$./resign.sh ./MyApp.ipa ./embedded.mobileprovision “iPhone Distribution: A.C.M.E. (8YX56B3FLL)"
Please note: in case you receive the permission denied error shown in the image below, execute the following command: chmod 777 ./resign.sh 
After that, you can execute the resign.sh script without receiving any permission denied errors anymore. This .ipa is now signed with your new profile and you are now ready to upload this .ipa to Apple App Store using the application called Transporter (you can find it in your Application folder). If you don't have Transporter yet, you can install it from your Mac App Store. Refer to the articles How to re-sign iOS builds (opens in a new tab), Inside Code Signing (opens in a new tab) and Application Code Signing (opens in a new tab) to learn more about how to reassign a signature to an Apple .ipa file.
Publishing
You also need the following metadata to finish setting up the app in iTunesConnect:
App Specific Info
|
App Specific Info |
Notes |
|
Title |
This is the App Name. It can be up to 30 characters long. |
|
Subtitle |
The app subtitle appears below the app name. It can be up to 30 characters long. It is optional info. |
|
Privacy Policy URL |
This is the URL of the privacy policy document that you find on your website |
|
Primary Category |
This is the first category you assign to your app. It is the category in which the app appears when users browse by category or filter search results. |
|
Secondary Category |
This is the second category you assign to your app. It is optional info. |
|
Price |
This is your app’s price. You can set it to the Free option. |
|
Territories |
By default all territories, but the list can be edited to make it available only to specific countries |
Version Specific Info
|
Version Specific Info |
Notes |
|
App previews (videos) and screenshots |
Screenshot requirements, Optional Preview requirements |
|
Promotional text |
This is the promotional text that appears at the top of the description. It can be up to 170 characters long. It is optional info. |
|
Description |
The description highlights the features and functionalities of your app. It is an informative paragraph followed by a short list of main features. |
|
Keywords |
Keywords help determine where your app displays in search results. They can be up to 100 characters in total and items are separated by commas and no spaces. |
|
Support URL |
This is the URL of your company’s website page where you can ask for support |
|
Marketing URL |
This is the URL of your company’s website page where you can download marketing material and press kit. It is optional info. |
|
Version number |
The default for a new app is 1.0, while the Docebo build is 1.1.8 |
|
Copyright text |
This is the text of your app’s copyright |
|
Contact info at your company in case of issues |
This contact info is used to submit feedback |
|
App Review Info |
Login credentials and any steps required for logging in/using the app |
Learn more about screenshot requirements (opens in a new tab), optional preview requirements (opens in a new tab), and your App Store product page (opens in a new tab).
Important Notes on the Publishing Process
- When you update your app creating a new app version for the Apple App Store (but also when you create your app for the first time), you need to complete the form on the types of data collected in your app. Guidelines on how to fill in your app's privacy details on the App Store (PDF, 42KB). Note that the guidelines refer to the Go.Learn app configuration — please check each section, as your app may differ from Go.Learn (e.g. if you didn’t connect your app to Firebase, do not fill in info on analytics).
- When uploading your branded app to Apple App Store, if you use custom SSO (Single Sign On), Apple may require an explanation about the reason why you use a non-standard login process.
- When publishing your branded mobile application to Apple App Store, you may be asked some questions about paid content and services. Find the answers applicable to the branded app you created with Docebo’s Branded Mobile App Publisher functionality (PDF, 33KB) (refer to the first section of the document if you use Docebo’s E-Commerce app to sell courses online through your platform creating your own marketplace, refer to the second section if you don’t use it). Once you reply to these questions, you can proceed with the publishing process.