I'm using Support Library for downloadable fonts. I followed the official guide, which says:
When a font provider is not preinstalled or if you are using the support library, you must declare the certificates the font provider is signed with. The system uses the certificates to verify the font provider's identity.
So it's obvious that in order to use Google Font provider, I need to add the certificates for Google Play Services.
<resources>
<array name="com_google_android_gms_fonts_certs">
<item>@array/com_google_android_gms_fonts_certs_dev</item>
<item>@array/com_google_android_gms_fonts_certs_prod</item>
</array>
<string-array name="com_google_android_gms_fonts_certs_dev">
<item>
[HASH]
</item>
</string-array>
<string-array name="com_google_android_gms_fonts_certs_prod">
<item>
[HASH]
</item>
</string-array>
</resources>
What I can't find anywhere is, why are there two certificates: dev and prod? And when does each get used?
One is optimized for production, the general is this, when you develop locally, the dev version is used, however the key difference is application APK signing. When your application is officially signed and ready for deployment the prod font set is triggered.