So I see I do already have Play App Signing enabled. It says "Google is protecting the app signing key for your app and signing each release so Android devices can trust that updates are from you. This makes it possible for your app to be published with the Android App Bundle."
Looked into jarsigner but it wants a keystore file - I've never had one of those before in previous Android processes.