signingReport tasks yields same SHA-256 on copied Android Studio project

Question

I've copied an Android Studio project, renamed it and replaced all textual occurences of the old app name. Yet when running the signingReport task, it gives me the same SHA-256 values as the original Android Studio project. Shouldn't the SHA-256 depend on the app itself? How to get a unique one for my copied Android Studio project?

Answer 1

That is a misunderstanding, gradle signingreport does not show the app digest but the signing certificate digest that belongs to the signing key you have used to sign the app.

Example report from Android documentation:

Variant: debug
Config: debug
Store: ~/.android/debug.keystore
Alias: AndroidDebugKey
MD5: A5:88:41:04:8D:06:71:6D:FE:33:76:87:AC:AD:19:23
SHA1: A7:89:E5:05:C8:17:A1:22:EA:90:6E:A6:EA:A3:D4:8B:3A:30:AB:18
SHA-256: 05:A2:2C:35:EE:F2:51:23:72:4D:72:67:A5:6C:8C:58:22:2A:00:D6:DB:F6:45:D5:C1:82:D2:80:A4:69:A8:FE
Valid until: Wednesday, August 10, 2044

You can see that all three digest values belong to the AndroidDebugKey hece the signing certificate (and thus also to the signing key that belongs to the certificate). The whole report is about it, it shows the key store file where the key/certificate is stored in, the name of the alias inside the key store, the fingerprints of the certificate and it's validity.

If you use the default debug or release key which is stored in your .android folder in your home directory it is not unexpected that two app projects end up with the same digest values in their signingreports.