Gradle Made Simple (Part 3): Signing & Releasing Your Flutter App.

This article was translated specially for the channel FlutterPulseYou'll find lots of interesting things related to Flutter on this channel. Don't hesitate to subscribe!🚀

So far, we've survived the maze of Gradle basics and version mismatches. By now, you know what Gradle does, how AGP and the Gradle wrapper…

So far, we've survived the maze of Gradle basics and version mismatches. By now, you know what Gradle does, how AGP and the Gradle wrapper play together, and how to dodge those cryptic build errors.

Now comes the ultimate test: signing and releasing your app. This is where your Flutter app graduates from a local debug APK to a fully polished release that Google Play (and your users) can trust.

In this part, we'll uncover:

• Why app signing matters (debug vs release keystore)
• How to generate a keystore using keytool (Windows & macOS/Linux)
• How to get SHA1 and SHA256 fingerprints for Firebase and Google APIs
• How to configure your build.gradle securely using local.properties
• How to build signed release APKs and AABs

Think of this as your Gradle graduation ceremony — once you master signing, your Flutter apps are ready to fly off into the wild!

1. Why App Signing Matters

Imagine you're sending a letter. Without a signature, anyone could claim it's from you. That's exactly what app signing does digitally.

• Debug Keystore: Auto-generated by Flutter/Android Studio. Good for testing and debugging.
• Release Keystore: Official key for distributing apps. Google Play uses it to identify your app and allow updates.

Without signing, your app cannot be uploaded to the Play Store, and users installing manually may see scary warnings.

2.Generate a Keystore Using keytool

Mac

keytool -genkey -v -keystore ~/my-release-key.jks -keyalg RSA -keysize 2048 -validity 10000 -alias my_key_alias

Windows

keytool -genkey -v -keystore C:\Users\Ravi\my-release-key.jks -keyalg RSA -keysize 2048 -validity 10000 -alias my_key_alias

Note : Make sure to edit this command path based on your project .

Parameters explained:

• -keystore → Path where your keystore will be saved
• -keyalg RSA → Signing algorithm
• -keysize 2048 → Security level (recommended)
• -validity 10000 → Validity in days (~27 years)
• -alias → Name for the key inside the keystore

You'll be prompted for passwords and identity info. Store these securely!.

Make sure to also copy paste the things you enter in the command prompts so you can access those later and store the release.jks file on some cloud storage as well.

3. SHA1 vs SHA256 — What They Are and Why You Need Them

When working with APIs like Firebase, Google Maps, or Play App Signing, you'll need SHA fingerprints. These are cryptographic hashes that uniquely identify your keystore.

• SHA1: Older, widely supported fingerprint. Still required by some APIs.
• SHA256: Modern, more secure, increasingly required for Firebase and Play App Signing.

Generate fingerprints using keytool:

Mac

keytool -list -v -keystore ~/my-release-key.jks -alias my_key_alias

Windows

keytool -list -v -keystore C:\Users\Ravi\my-release-key.jks -alias my_key_alias

Note : Make sure to edit this command path based on your project.

This should output something like this

Alias name: my_key_alias
Certificate fingerprints:
SHA1: AB:CD:EF:12:34:56:78:9A:BC:DE:F0:12:34:56:78:9A:BC:DE:F0
SHA256: 11:22:33:44:55:66:77:88:99:00:AA:BB:CC:DD:EE:FF:11:22:33:44:55:66:77:88:99:00:AA:BB:CC:DD:EE:FF

4.Configure build.gradle Securely Using local.properties

Step 1 — Add keystore info to local.properties at android/local.properties

RELEASE_STORE_FILE=my-release-key.jks
RELEASE_STORE_PASSWORD=YourKeystorePassword
RELEASE_KEY_ALIAS=my_key_alias
RELEASE_KEY_PASSWORD=YourKeyPassword

This are the info that you have entered while creating the keystore file.

Step 2— Load properties in app/build.gradle

def keystoreProperties = new Properties()
def keystorePropertiesFile = rootProject.file('key.properties')
if (keystorePropertiesFile.exists()) {
    keystoreProperties.load(new FileInputStream(keystorePropertiesFile))
}

Step 3 — Use keystoreProperties in your signingConfigs block in app/build.gradle.

signingConfigs {
    release {
        storeFile file(keystoreProperties['RELEASE_STORE_FILE'])
        storePassword keystoreProperties['RELEASE_STORE_PASSWORD']
        keyAlias keystoreProperties['RELEASE_KEY_ALIAS']
        keyPassword keystoreProperties['RELEASE_KEY_PASSWORD']
    }
}

Step 4 Assign the signing config to release buildType in app/build.gradle.

buildTypes {
    release {
        signingConfig signingConfigs.release
    }
}

Now you're ready to generate signed releases:

# APK
flutter build apk --release

# AAB (for Play Store)
flutter build appbundle --release

Signing your app may have seemed scary at first, but with Gradle doing the heavy lifting and local.properties keeping your secrets safe, the process is now smooth and repeatable.

Keep your keystore and passwords safe — losing them means no future updates for your app. Always back up your release keystore!