In Azure DevOps, I'm unzipping an aab, modifying some files (icons, resources, manifest) in the aab, and using bundletool to build the modules. My next steps are:
I am assuming that I'm signing more times than necessary since I'm doing it 3 times (the AAB, the APKS, and the APK). Which signing is necessary? It only takes less than 10s for each signing task, but each task adds extra complexity and I would like this as simple as possible for re-usability.
Here's a summary of the required signing:
App Bundle (.aab)
Signing needed (with jarsigner) before uploading to the Play Store.
No signing needed during development or testing.
APK Set (.apks)
Signing not needed. Ever.
APKs (.apk) (the ones inside the APK Set)
Signature always required (unless you're not going to install those APKs).
Bundletool will automatically sign them the APKs it generates in the .apks when pass the --ks flag, so most devs never have to do it themselves.
However, you've mentioned that you modify "some files": if you modify the APKs, you will need to sign them again (ideally with apksigner and not jarsigner -- more secure, and makes APKs faster to install).