Signing an APK with an upload key provided by Google Play

android google-play apk keytool android-app-signing

68,414

Solution 1

I was able to sign my APK using Upload key provided by Google Play. Here are the steps I followed for a new app:

Create a keystore and add a signing key using Android Studio
Sign the app using the key created in (1)
Upload the APK to Google Play
Download "Upload certificate" from Google Play Console
Add downloaded certificate to the keystore created in step (1) using command keytool.exe -importcert -file upload_cert.der -keystore <keystorefile>
It should prompt that "Certificate already exists in keystore under alias . Do you still want to add it? [no]:"
Type 'y' and press enter
A confirmation message will appear
For subsequent builds sign the app using the same process as in (2)

Important point to note here is that in step (6), the keytool import updates the original certificate with the one downloaded from Google Play.

Solution 2

The Short Answer:

You can't sign an APK with the upload certificate in the Google Play Console.

Hopefully this answer will prevent others from wasting as much time as I did trying to find a solution that doesn't exist.

The Long Answer:

The Google Play support article Manage your app signing keys has the information needed to understand this.

From the "Types of keys & important definitions" section:

Upload key (optional for existing apps): A new key you generate during your enrollment in the program. You will use the upload key to sign all future APKs prior to uploading them to the Play Console.

Private Key: For APK signatures, this is the key used to sign the APK. The private key must be kept secret.

Public Key: For APK signatures, this is the key used to verify the signature of an APK. The public key can be visible to everyone.

Certificate: A certificate contains a public key as well as some extra identifying information about who owns the key.

Then, note that in Google Play Console, you can only download an upload certificate (as opposed to an upload key). Based on the definitions above, we can conclude that:

the upload key is a private key, since the upload key is used to sign APKs.
the upload certificate does not contain a private key, because certificates in general contain public keys, not private keys (there are exceptions, sort of, but not in this case).
Therefore, the upload certificate cannot be used to sign an APK, no matter what steps you take. It just doesn't contain the necessary information.

As further evidence, this other SO question (Android signing error: trusted certificate entries are not password-protected) addresses the same issue, however since it doesn't reference upload keys/certificates, it is easy to miss the implications for this question -- that nothing you can download from Google Play will solve this problem.

Claims to the Contrary

Although some people report it IS possible to sign your APK with your upload certificate downloaded from Google Play, I believe they are misunderstanding what has happened. Note that generally these reports indicate you must import the certificate into the original keystore used to generate the key. In fact, when they think they are importing the (private) key needed to sign APKs, they are actually merely importing the public key and overwriting the public half of the key-pair -- with the same public key that was exported in the certificate in the first place.

Had they attempted to sign the APK with that alias WITHOUT doing the import procedure, it would have worked just as well. (The import changed nothing for them.) This is why the import only seems to work when used with the original keystore, not with a new keystore.

So what can you do instead?

It depends on your situation. Since the goal is to sign an APK and successfully upload it to Google:

At some point during setup of "app signing by Google Play", someone generated an upload key and registered it with Google. If you still have that (private) key in a keystore somewhere, that is exactly what you need to sign your APK.
If you generated the upload key with some tool other than keytool and then imported it into your keystore, and you still have the original generated file, you could import the private key again into a different keystore, using whatever process was used the first time.
If neither of the above are options, you can follow the instructions in the "Create a new upload key" section of the Manage your app signing keys article to generate a new upload key and have Google swap it in.

Solution 3

I think you must have generated your keystore like this from your "java\bin" folder:

keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000

When you want to update yout app you must have to use the same keystore that you have generated.

Go to Build > Generate Signed APK.
Select "Choose existing" and browse to your keystore path
Enter "key store password"
In key alias tap on "..." and check whether your key alias is same as the one you have provided while generating keystore
If yes again provide "Key Password"
Tap on "Next"

Let me know in which step you are getting the problem, so I can guide you accordingly.

Solution 4

I had to contact google and followed below instructions to generate new key and upload certificate.

The new upload key will be used to sign APKs that you upload to Play.

Here’s how to generate and register a new upload key:

Follow the instructions in the Android Studio Help Center to generate a new key. It must be different from any previous keys. Alternatively, you can use the following command line to generate a new key: keytool -genkeypair -alias upload -keyalg RSA -keysize 2048 -validity 9125 -keystore keystore.jks

This key must be a 2048 bit RSA key and have 25-year validity.

2.Export the certificate for that key to PEM format: keytool -export -rfc -alias upload -file upload_certificate.pem -keystore keystore.jks

3.Reply to this email and attach the upload_certificate.pem file.

Solution 5

Sometimes what happen is: A single keystore has two certificates and they are differentiated by alias name or password. Try to see the properties of both the entries of a keystore. I am sure any one is a valid key with a correct alias name. Use this command:

Keytool -list -keystore WeatherForecast.jks(Your Keystore)

Press enter when it prompts for password.

You will see two entries and the first word would be the alias for your keystore.

It worked for me and I think surely it will work for you.

View more solutions

68,414

Author by

Ronald

Updated on July 08, 2022

Comments

Ronald almost 2 years
I'm trying to make sense of how to upload an app onto Google Play while using Google Play App Signing.

Here is what I did:
1. Created an app
2. Used keytool.exe to generate a key for that app
3. Uploaded the app to Google Play
4. Enrolled in the Google Play App Signing
5. Try to upload the app again without success.
It complains that the certificate is not the certificate

Upload new APK to Production

Upload failed You uploaded an APK that is not signed with the upload certificate. You must use the same certificate. The upload certificate has fingerprint: [ SHA1: 0C:... ] and the certificate used to sign the APK that you uploaded have fingerprint: [ SHA1: 2D:... ]

After searching for a while. I find out how to put the certificated posted on my Google Play console in my keystore. Something like this:

keytool.exe -importcert -file upload.pem -keystore myapp-release-key.keystore

The certificate seems to be in. When I list the contents of the keystore, here's what I get:

keytool.exe -list -keystore trackcoachfull-release-key.keystore Enter keystore password:

Keystore type: JKS Keystore provider: SUN

Your keystore contains 2 entries

myappfull, May 18, 2017, PrivateKeyEntry, Certificate fingerprint (SHA1): 2D:... uploadkey, May 19, 2017, trustedCertEntry, Certificate fingerprint (SHA1): 0C:...

Now, where I'm blocked...

In Android Studio, I try to generate a signed APK with the uploadkey.

Build > Generate Signed APK Select the keystore above Enter the keystore password Select the uploadkey as the key alias I'm force to enter a key password.

Error in Android Studio:

Error:Execution failed for task ':app:packageFullRelease'.

com.android.ide.common.signing.KeytoolException: Failed to read key uploadkey from store "C:\Users\Admin\AndroidStudioProjects\keystores\myappfull-release-key.keystore": trusted certificate entries are not password-protected

My question is this:

How do you generate an APK signed with an upload key provided by Google Play?

Thanks
Clemens about 7 years

Ok, but how is this related to the process described in the question? There is already a certificate/key available (upload.pem) and converted to a keystore. The problem occurs on signing the APK using the generated keystore.
Patrick R about 7 years

Yes as already mentioned, if you follow all steps, it will cover that scenario as well, see #4, where it is clearly stated that if Keystore is wrong, then key alias will be different. So further signed APK will not be same as uploaded. Let me know if you need more information on this.
Clemens about 7 years

Well, I ended up to disable Google Play App Signing for the moment and did it the "old" way with generating a keystore file and certificate locally for the first upload (from here: developer.android.com/studio/publish/app-signing.html). Interestingly, after that I got the new options and instructions, including the PEPK tool, at the console under App Signing. Maybe it is just working if you do the first upload with the self-generated certificate? Still not sure.
Patrick R about 7 years

It seems that you area generating new keystore for updated APK, if that keystore is different than that you used while uploading app to the store before, than it won't work.
Clemens about 7 years

It was the very first APK upload and keystore. I was not able to get it to work with Google Play App Signing so I switched back to the "old" style. For the next upload I will use the same keystore.
Nabil Sham over 6 years

on 5. keytool error: java.lang.Exception: Public keys in reply and keystore don't match
Lego over 6 years

I followed the -importcert process but all that was added is the alias within the upload_cert.der and not the SHA1 ref. Is this something I can fix ?
Christian Findlay about 6 years

This looks like an important part of the puzzle. The key difference here is that keytool is importing the certificate which is what we're all trying to do. I was able to successfully generate the keystore with this. But, when I sign my APK with the keystore, the fingerprint is still wrong and I get the same issue mentioned above.
Mohammedsalim Shivani over 5 years

By updates the original certificate, do you mean it contains 2 entries by adding the old certificate or just over writes it??
Ayaz Aslam over 5 years

It overwrites the existing certificate with the one downloaded from Google Play.
Alex over 5 years

If using Android Studio > Generate Signed APK make sure to check Signature Versions: V1 and V2
Vivek Pratap Singh about 5 years

"the upload key is a private key, since the upload key is used to sign APKs." Not able to understand the steps for the above sentences.
zacronos about 5 years

@VivekPratapSingh That part is just an explanation of why it is impossible to do what the OP is trying to do. If you want to skip ahead to steps to follow, you can go to the "So what can you do instead?" section.
James Westgate almost 5 years

As long as you specify the same name as your existing keystone file, the information is added to the keystore. This is the critical part to get this to work.
James Westgate almost 5 years

This works, as long as you use the same keystore file in step 5. as you did in step 1.
zacronos almost 5 years

@JamesWestgate The information (the upload certificate) isn't really being added to the keystore though -- importing the certificate with the same alias just overwrites the public key in the keystore with the public key from the certificate, but since the certificate was created from the keystore in the first place, it's actually the exact same value, and the import changes nothing. The assumption that it is possible to sign an APK with the upload certificate in the Google Play Console is based on an incorrect understanding of how the keys and certificates are supposed to work.
James Westgate almost 5 years

Hi Zacronos. Luckily I created a backup of the old keystore, so I can look at the two versions of this file. The new one has two keys, the old one one. Although these keys both have the same fingerprint? To be precise, this process has added an entry of the type 'Trusted Certificate Entry' So what gives?
zacronos almost 5 years

@JamesWestgate To start, please note that the whole point of my post is to explain that importing the upload certificate does not help toward OPs goal of being able to sign a new APK. You have provided even more evidence of this -- the old keystore already has the key you got from the upload certificate, as shown by the fact that it has the same fingerprint. I was slightly incorrect in stating that it would overwrite the original public key (since it instead saved it as a new entry). However, the new entry still doesn't help you; see stackoverflow.com/a/50875450/751577
Deven over 3 years

On step 9 getting error "Cause: trusted certificate entries are not password-protecte"
nullUser over 2 years

well explained. Excellent answer. Thanks for explaining.
nullUser over 2 years

step 5 just overwrites the public key. Doesn't make any difference, it should work without this step too, with the original upload key whatever you have. Pl update your answer if possible.
Yuseferi about 2 years

a big question on this link support.google.com/googleplay/android-developer/answer/… I see this : Important: Resetting your upload key doesn’t affect the app signing key that Google Play uses to re-sign APKs before delivering them to users.. it's confusiong for me now. if we just reset upload key can we sign the application with that and release a new version of the application while we don't have access to the old application signed key?