Generate /.well-know/assetlinks.json

[andreban]

Helps developers to generate a correct assetlinks.json file, with the correct Fingerprint and package name.

[jadjoubran]

maybe worth mentioning a note about Play Store signing as well? as it seems like a common pitfall (from personal experience & reading Stackoverflow answers)

[andreban]

Yes, definitely.

[JudahGabriel]

@andreban Would you accept a PR for adding a function to KeyTool.ts to generate the SHA-256 fingerprint? I think it'd be a step towards generating digitalassets.json. I'd be glad to contribute that.

[PEConn]

Hey Judah,

I'd have no issue with it. It's probably worth discussing whether we'd want this to be something that is done automatically or as part of a separate command.

It's worth noting though that quite a few developers will upload their app to the Play Store and use App signing by Google Play. In this case the SHA-256 fingerprint required for Digital Asset Links verification won't be the one used on the local APK, but the one displayed in the Play Store Console.

Maybe we'd want the flow for a user to be:

1. Create a TWA using llama-pack.
2. Upload their APK to the Play Store, deciding whether to use Play Store signing.
3. Run a llama-pack command to generate the asset links, either using the fingerprint from the local APK or the one provided in the Play Console.

(Instructions for how to manually find out the key from an APK are here, hopefully there's some keytool arguments that will give just the required fingerprint.)

Peter C

On Thu, 23 Jan 2020 at 16:38, Judah Gabriel Himango < notifications@github.com> wrote:

Would you accept a PR for adding a function to KeyTool.ts https://github.com/GoogleChromeLabs/llama-pack/blob/master/src/lib/jdk/KeyTool.ts to generate the SHA-256 fingerprint? I think it'd be a step towards generating digitalassets.json. I'd be glad to contribute that.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/GoogleChromeLabs/llama-pack/issues/5?email_source=notifications&email_token=AA4LBZO2ZELN4P4EWKBF5FLQ7IE6XA5CNFSM4JK24UR2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEJY6GTI#issuecomment-577889101, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA4LBZJTQQK4FLILZ2AH7ADQ7IE6XANCNFSM4JK24URQ .

[JudahGabriel]

Right, understood that most folks will just use the Play Store and use that for signing.

Based on your feedback, I'll leave this for now until a clear path is decided.

[PEConn]

@andreban, what are your thoughts?

[andreban]

Configuring assetlinks.json is a confusing / error-prone experience currently.

The reason being that the SHA fingerprint that goes into the file can be:

• the key used to sign the APK
• the key generated by the Play Store, if the developer opts-in to App Signing (which is recommended by Play),
• or, in some cases, a third key generated when the developer is generating internal testing links.

The only key that is available to llama-pack when building the APK is the first one. We may have to cover two paths:

1. Using the signing key generated by llama-pack

• Generate the assetlinks.json file
• Explain to developers how to opt-out of Play Store Signing when uploading

2. Using Play Store Signing (recommended by Play. Probably what we should recommend too?)

• Explain how to find the Signing Key on the Play Store command
• Have a separate CLI command that takes a SHA-256 Fingerprint outputs assetlinks.json

So, I it seems that having a separate command to generate assetlinks.json would be the way to go. It would accept either a key (eg: android.keystore) or the SHA-256 fingerprint as an input. The package name can be collected from twa-manifest.json, but we'd want to enable overriding it as an optional parameter too.

[FluorescentHallucinogen]

Another important nuance is that Google Play Internal App Sharing (https://support.google.com/googleplay/android-developer/answer/9303479) also re-sign APKs. And the internal key is different to production and upload key. So assetlinks.json must be updated.

[PEConn]

This is not to discourage you Judah - if you want to create a PR for generating assetlinks.json, we'll happily look at it and potentially accept it.

We'd want it to be a separate command (which maybe we can document in the README.md) and we'd want the command to take into account the complexity about which fingerprint to use. Maybe something interactive with a decision tree:

Are you using Google Play Signing? y/n -> If so, go to the Play Store Console at www.blah.com, copy the fingerprint and paste it here... Are you distributing this APK by internal testing? y/n -> ... -> Please enter the password to your keystore ...

Potentially the command could also be non-destructive, so the user can run it twice to generate an assetlinks.json with multiple fingerprints.

On Sat, 25 Jan 2020 at 17:22, Alexey Rodionov notifications@github.com wrote:

Another important nuance is that Google Play Internal App Sharing ( https://support.google.com/googleplay/android-developer/answer/9303479) also re-sign APKs. And the internal key is different to production and upload key. So assetlinks.json must be updated.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/GoogleChromeLabs/llama-pack/issues/5?email_source=notifications&email_token=AA4LBZMPQZKF3AJA7YAPPI3Q7RYL3A5CNFSM4JK24UR2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEJ5A7FY#issuecomment-578424727, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA4LBZLCG6BBFNU6RYSQ4ITQ7RYL3ANCNFSM4JK24URQ .

[FluorescentHallucinogen]

Any progress on this?

[rajandimri]

I have developed shopify app using PWA, Microsoft tool (https://www.pwabuilder.com/).

I published the android app to google play store and it is live also. Now I want to provide a native-like android and ios look app through my Shopify app.

Google recently introduce TWA, by using that I can generate a native app for PWA enable stores. see this link https://developers.google.com/web/updates/2019/02/using-twa .

To use TWA, I need to verify the website and app using Digital Asset Links.

To do this I need to add one JSON file to the root folder. for example - https://www.example.com/.well-known/assetlinks.json

Click on this for ref : https://developers.google.com/digital-asset-links/v1/create-statement .

As in Shopify, I do not have root access, How can I do it?

I build the PWA for my Shopify store and Shopify doesn't provide the root access so that I can Put the Digital Asset Link in a file called assetlinks.json and upload it to your my website at .well-known/assetlinks.json (relative to the root).

How can I verify the digital asset link for Shopify?

:(

In the case of website verification for Google Webmaster Tool thet also provide a set of HTML tag that we insert in the theme.liquid header in shopify in this way we verify the domain with google web master tool.

and how to verify the digital assets link when we don't control the root domain??

Please help?

[andreban]

@rajandimri Shopify allows configuring Digital Asset Links from their settings. They've added it to the App Links section, and the same configuration is used to validate a Trusted Web Activity: https://community.shopify.com/c/Shopify-APIs-SDKs/How-to-create-an-instant-app-for-a-shopify-store/td-p/529651

[rajandimri]

@andreban , that's pretty good! And thanks 👍

Now, I have verified the digital asset link and verified the same using the https://developers.google.com/digital-asset-links/tools/generator

But, the loading status bar is still showing on the mobile app.

Please let me know if I'm missing somewhere.

Thank you :)

[andreban]

You can use Peter's Asset Link Too to check if you are using the correct SHA-256 Fingerprint: https://play.google.com/store/apps/details?id=dev.conn.assetlinkstool

[rajandimri]

Yes! I tried using this tool and validate the same. But it is still showing the bar in the app you can also download and check the same - https://play.google.com/store/apps/details?id=com.misterfab.twa

I don't know why it is showing now?

@andreban, please help as my app is live :(

[andreban]

Here's what your assetlinks.json looks like right now:

[{
    "relation": ["delegate_permission\/common.handle_all_urls"],
    "target": {
        "namespace": "android_app",
        "package_name": "com.misterfab.in",
        "sha256_cert_fingerprints": ["43:A4:77:EA:6B:B5:42:30:21:99:72:98:C0:1F:4D:68:56:20:8C:00:50:C6:FB:99:F1:DE:00:4E:B3:EC:F2:41"]
    }
}]

Here's what it should look like:

[{
  "relation": ["delegate_permission/common.handle_all_urls"],
  "target": {
    "namespace": "android_app",
    "package_name": "com.misterfab.twa",
    "sha256_cert_fingerprints": ["AB:4B:7F:4B:96:D1:C9:53:97:0F:95:E7:2B:7D:A3:32:37:1C:7E:9F:B5:28:56:C0:E7:D7:DA:D9:44:47:BE:C6" ]
  }
}]

So, on your Shopify config:

1. Set the Application ID to: com.misterfab.twa
2. Set the SHA-256 Fingerprint to: AB:4B:7F:4B:96:D1:C9:53:97:0F:95:E7:2B:7D:A3:32:37:1C:7E:9F:B5:28:56:C0:E7:D7:DA:D9:44:47:BE:C6

[rajandimri]

Thank you @andreban !

My app is working fine now thank you for your support 👍

[rajandimri]

@andreban , I found an issue with the Amazon App Store. Submitted APK to the amazon app store is showing the address bar. Is there any option to fix the issue?