Use case: Using the SHA256 fingerprint of the signed APK to encrypt some data and saving it to a file, and then decrypting in the app afterwards on release build. The data will have to be encrypted in a hard-coded way as we will use the keystore information and the one with Google Play Signing.
Edit: I'm asking this in a way where we don't explicitly update a new certificate after losing our keystore file, for example. This is only for the info about Google Play itself, whether they change it or not on their own.
I couldn't really find any documents about it (or maybe I don't know how to search) but as you know, when publishing an app, you can either enroll with Google Play Signing, or publish it normally. In our applications, we query the SHA256 fingerprint of the APK by using PackageManager to encrypt some info, and I know that using Google Play Signing changes the output for this, as we've encountered issues before.
The output change is roughly fine, as long as it is permanent and not changed. But, I'm not sure if that's the case, so here is my question:
Does Google Play App Signing change fingerprint or certificate on its own after it's been published once? Or does it keep the fingerprints or certificates same? Any help is appreciated, thanks.
Every app either for debug or build has its own unique SHA key generated that uniquely identifies the app version.
No the Google console doesn't change the SHA key once it is assigned to the apk. As well from then everytime you publish an update for your app, this updated app version is linked as the subsequent child version of the parent release signed apk.