I have a white-label app that uses OTP phone verification via Firebase. I plan to brand and publish this app several times with distinguishable icons and themes under different names.
I want to use Google App Signing in which I release a bundle file (.aab) and let Google sign the application for me. This is what Google recommends, because it will prevent the keystore from being leaked / exploited. After all, using Google App Signing will streamline the publishing experience, since Apple will sign my app for the App Store as well. I also want to restrict my Firebase API key that is added in the Google Cloud.
In summery: The SHA-1 and SHA-256 signature hash from Google's keystore needs to be added in the project settings of Firebase and in the app restriction section of my Firebase API key within the Google Cloud Credentials dashboard, because only then I can use the Firebase OTP phone verification. However, I also have to download the google-services.json and add it to my app build. If I don't do the last step, I will still get the error:
E FirebaseAuth [SmsRetrieverHelper] SMS verification code request failed: unknown status code: 17499 Requests from this Android client application are blocked.
To fix this, I have to provide the SHA-1 and SHA-256 hash to Firebase before building my app, since I have to download and add the google-services.json to my build after this step. The crux is, I cannot obtain the signing hashes before creating a release:
Long story short: I have to create a release with a wrong google-services.json to be able to obtain my SHA-1 and SHA-256, which I then add in Firebase, re-download my now correct google-services.json just to create another release and to fix my app?
This is a heavy additional step that feels absolutely unnecessary and hindering for mass publishing.
Is there any way to circumvent this terrible design choice by Google to make my app work with OTP Firebase phone verification on the initial release when using Google App Signing?
