fix: add missing debug's keystore

[ieow]

Description

Local debug APK builds (prodDebug, etc.) were signed with the machine-local default Android debug keystore (~/.android/debug.keystore) instead of the shared android/keystores/debug.keystore checked into the repo.

Android Gradle Plugin always applies the built-in debug signing config for debug build types, which overrides the flavor-level mainDev config even when METAMASK_ENVIRONMENT=dev. That produced a different certificate fingerprint per developer machine, breaking integrations that key off the team debug certificate (e.g. Google Sign-In / OAuth redirect validation).

This PR adds an explicit debug signing config in android/app/build.gradle that points to ../keystores/debug.keystore, so all debug variants use the repo keystore and produce a consistent SHA fingerprint.

Changelog

CHANGELOG entry: null

Related issues

Refs: N/A — local Android debug signing configuration

Manual testing steps

Feature: Debug build signing

  Scenario: prodDebug APK uses the repo debug keystore
    Given a clean Android build tree
    And METAMASK_ENVIRONMENT=dev

    When I build a debug APK (e.g. yarn start:android or ./gradlew app:assembleProdDebug)
    And I run apksigner verify --print-certs on the output APK
    Then the APK SHA-256 fingerprint matches android/keystores/debug.keystore
    And it does not match ~/.android/debug.keystore

Screenshots/Recordings

N/A — build/signing configuration change only; verification is via apksigner / keytool fingerprint comparison.

Before

N/A

After

N/A

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable
• I've documented my code using JSDoc format if applicable
• I've applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Performance checks (if applicable)

• I've tested on Android
  • Ideally on a mid-range device; emulator is acceptable
• I've tested with a power user scenario
  • Use these power-user SRPs to import wallets with many accounts and tokens
• I've instrumented key operations with Sentry traces for production performance metrics
  • See trace() for usage and addToken for an example

For performance guidelines and tooling, see the Performance Guide.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[mm-token-exchange-service]

PR template — items to address before "Ready for review"

Warnings — informational, address before merging:

• Pre-merge author checklist has unchecked items (e.g. "I've followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards."). Every box must be consciously checked — see docs/readme/ready-for-review.md.

See docs/readme/ready-for-review.md for the full Definition of Ready for Review.

[github-actions]

🔍 Smart E2E Test Selection

• Selected E2E tags: None (no tests recommended)
• Selected Performance tags: None (no tests recommended)
• Risk Level: low
• AI Confidence: 97%

click to see 🤖 AI reasoning details

E2E Test Selection:
The only changed file is android/app/build.gradle, and the diff shows a purely additive build configuration change: adding a debug signing config block that references the same debug keystore already used by the existing signing configuration. This is a build/signing infrastructure change with no impact on:

• App logic, UI, or navigation flows
• Any controllers, Engine, or core modules
• E2E test flows or test infrastructure
• Performance-sensitive code paths

No E2E tests need to run for this change, and no performance tests are warranted.

Performance Test Selection:
The change is limited to Android build.gradle signing configuration. No app code, performance-sensitive flows, or performance test specs were modified. No performance tests are needed.

View GitHub Actions results