Add code signing for Android release artefacts

[freakboy3742]

What is the problem or limitation you are having?

Briefcase currently supports code signing on macOS and Windows. Code signing is also required for Android release artefacts.

Describe the solution you'd like

briefcase package android --identity <identity> should accept a path to a keystore, and use that keystore to sign the app.

briefcase package android should prompt the user to do one of:

1. Ad-hoc sign the app (i.e., do nothing explicit with signatures, as is done currently)
2. Look for any file named *.jks in the project folder, the .android subfolder of the project folder, or the user's ~/.android folder, and provide those files as candidate keystores to use.
3. Create a new keystore named org.example.myapp.jks in a .android folder of the project directory, and use that keystore.

Describe alternatives you've considered

Continue to require manual signing. The process of generating a keystore and signing the app; this is a simplification process.

Additional context

No response

[mhsmith]

You can configure both the debug and the release keystore with a build.gradle setting like this. To add it to your app, put a build_gradle_extra_content setting in the android section of your pyproject.toml file (probably as a TOML multi-line string), then rerun briefcase create android.

For a complete example, see #2189 (comment).

[JohananOppongAmoateng]

@freakboy3742 is this a priority? i would like to pick it up

[freakboy3742]

@JohananOppongAmoateng Very much so - having a signed artefact come out of briefcase publish android would be very desirable. If you have any questions about the implementation, let us know.

[JohananOppongAmoateng]

@freakboy3742 i assume gradle will handle the signing under the hood right. All i need to do is accept a path to where a keystore and use give that keystore to gradle to do the signing?

[freakboy3742]

I believe Gradle has all the tooling to handle signing internally, so we don't need to manually define the signing process.

However - two notes on implementation:

1. If the user doesn't have an existing keystore, we should generate one for them (as described above). This isn't something Gradle is responsible for.
2. We don't want to hard-code the location of the keystore in the gradle file, as the file won't be committed to version control, and likely won't be defined until the user gets to publish their app.

To that end, the Gradle template will need some additions - something like:

android {
    signingConfigs {
        release {
            storeFile file(project.findProperty("KEYSTORE_PATH") ?: "default.keystore")
        }
    }

    buildTypes {
        release {
            signingConfig signingConfigs.release
        }
    }
}

and then invoke Gradle as:

./gradlew assembleRelease -PKEYSTORE_PATH=/path/to/my/keystore.jks

so that we can pass in keystore configurations as a runtime configuration, rather than something baked into the gradle file.

Note that we'll also need to update the existing documentation about Android app signing.