The apk must be signed with the same certificates as the previous version

android google-play apk

284,066

Solution 1

Nothing. Read the documentation: Publishing Updates on Android Market

Before uploading the updated application, be sure that you have incremented the android:versionCode and android:versionName attributes in the element of the manifest file. Also, the package name must be the same and the .apk must be signed with the same private key. If the package name and signing certificate do not match those of the existing version, Market will consider it a new application and will not offer it to users as an update.

Solution 2

Did you sign with the debug key by mistake?

Google Play does not allow you to publish an app signed with your debug keystore. If you try to upload such an APK, Google Play will fail with the message "You uploaded an APK that was signed in debug mode. You need to sign your APK in release mode."

However, if you try to upload an update which is signed with the debug keystore, you will not see this message; Google Play will display the message shown in the question, referring to SHA1 fingerprints.

So firstly, check whether you signed the app with your debug key by mistake.

How do I check which signing keys were used?

Gather the information from the APK

You can check which certificates the original APK and update APK were signed with by using these commands, using the Java keytool:

keytool -printcert -jarfile original.apk
keytool -printcert -jarfile update.apk

This shows you detailed information about the how an APK was signed, for example:

Owner: CN=My App, O=My Company, L=Somewhere, C=DE
Issuer: CN=My App, O=My Company, L=Somewhere, C=DE
Serial number: 4790b086
Valid from: Mon Nov 11 15:01:28 GMT 2013 until: Fri Mar 29 16:01:28 BST 2041
Certificate fingerprints:
  MD5:  A3:2E:67:AF:74:3A:BD:DD:A2:A9:0D:CA:6C:D4:AF:20
  SHA1: A6:E7:CE:64:17:45:0F:B4:C7:FC:76:43:90:04:DC:A7:84:EF:33:E9
  SHA256: FB:6C:59:9E:B4:58:E3:62:AD:81:42:...:09:FC:BC:FE:E7:40:53:C3:D8:14:4F
         Signature algorithm name: SHA256withRSA
         Version: 3

The important parts to note here — for each APK — are the SHA1 fingerprint value, the Owner identity value, and the Valid from/until dates.

If that keytool command doesn't work (the -jarfile option requires Java 7), you can get more basic information via the jarsigner command:

jarsigner -verify -verbose:summary -certs original.apk
jarsigner -verify -verbose:summary -certs update.apk

This unfortunately does not show the SHA1 fingerprint, but does show the X.509 owner identity, along with the certificate expiry dates. For example:

sm  4642892 Thu Apr 17 10:57:44 CEST 2014 classes.dex (and 412 more)

    X.509, CN=My App, O=My Company, L=Somewhere, C=DE
    [certificate is valid from 11/11/13 12:12 to 29/03/41 12:12]
    [CertPath not validated: Path does not chain with any of the trust anchors]

You can ignore any "CertPath not validated" message, along with warnings about certificate chains or timestamps; they're not relevant in this case.

Compare the Owner, SHA1 and Expiry values between the APKs

If the Owner/X.509 identity value is CN=Android Debug, O=Android, C=US, then you have signed the APK with your debug key, not the original release key
If the SHA1 fingerprint value is different between the original and update APKs, then you did not use the same signing key for both APKs
If the Owner/X.509 identity values are different, or the certificate expiry dates differ between the two APKs, then you did not use the same signing key for both APKs

Note that even if the Owner/X.509 values are identical between the two certificates, this doesn't mean that the certificates are identical — if anything else does not match — such as the fingerprint values — then the certificates are different.

Search for the original keystore, check backups

If the two APKs have different certificate information, then you must find the original keystore, i.e. the file with the first SHA1 fingerprint value that Google Play (or keytool) told you.

Search through all the keystore files you can find on your computer, and in any backups you have, until you have the one with the correct SHA1 fingerprint:

keytool -list -keystore my-release.keystore

Just press Enter if prompted for the password — you don't necessarily have to enter it if you just want to quickly check the SHA1 value.

I can't find the original keystore anywhere

If you cannot find the original keystore, you will never be able to publish any updates to this particular app.

Android mentions this explicitly on the Signing Your Application page:

Warning: Keep your keystore and private key in a safe and secure place, and ensure that you have secure backups of them. If you publish an app to Google Play and then lose the key with which you signed your app, you will not be able to publish any updates to your app, since you must always sign all versions of your app with the same key.

After the first release of an APK, all subsequent releases must be signed with the exact same key.

Can I extract the original signing key from the original APK?

No. This is not possible. The APK only contains public information, and not your private key information.

Can I migrate to a new signing key?

No. Even if you do find the original, you can't sign an APK with key A, then sign the next update with both keys A and B, then sign the next update after that with only key B.

Signing an APK (or any JAR file) with multiple keys is technically possible, but Google Play no longer accepts APKs with multiple signatures.

Attempting to do so will result in the message "Your APK has been signed with multiple certificates. Please only sign it with one certificate and upload it again."

What can I do?

You will have to build your app with a new application ID (e.g. change from "com.example.myapp" to "com.example.myapp2") and create a brand new listing on Google Play.

Possibly you will also have to change your code so that people can install the new app even if they have the old app installed, e.g. you need to make sure that you don't have conflicting content providers.

You will lose your existing install base, reviews etc., and will have to find a way to get your existing customers to uninstall the old app and install the new version.

Again, ensure you have secure backups of the keystore and password(s) you use for this version.

Solution 3

Nothing - Google says it clearly that the application is identified by the keys used to sign it. Consequently if you've lost the keys, you need to create a new application.

Solution 4

I just had this occur out of the clear blue. I really do not think I changed anything.

However, Build => Clean Project fixed it.

Solution 5

Today i faced same issue, unfortunately, i was having two aliases in my keystore file.

View more solutions

284,066

artem

Updated on May 07, 2022

Comments

artem about 2 years

I had uploaded my app to Google Play (back when it was called Android Market) some time ago.

Today I updated the app, but I had deleted the previous keystore and created a new one.
When uploading, it says the APK must be signed with the same certificates as the previous version:

Upload failed

You uploaded an APK that is signed with a different certificate to your previous APKs. You must use the same certificate.

Your existing APKs are signed with the certificate(s) with fingerprint(s):
[ SHA1: 89:2F:11:FE:CE:D6:CC:DF:65:E7:76:3E:DD:A7:96:4F:84:DD:BA:33 ]
and the certificate(s) used to sign the APK you uploaded have fingerprint(s):
[ SHA1: 20:26:F4:C1:DF:0F:2B:D9:46:03:FF:AB:07:B1:28:7B:9C:75:44:CC ]

But I don't have this certificate, and don't want to delete and re-publish the application, because it has active users.

What can I do to sign my app with new certificate?
- Mariux over 12 years
  
  I'm having a different issue: I tried to upgrade an app but it keeps me saying this error. The fact is, I've never changed the keystore!!! What can I do?!?
- Elizabeth about 8 years
  
  how did you solved??
- Amit Sharma over 4 years
  
  @int_32 how u solve it??
Rubycon over 13 years

"..use jarSigner to extract certificate from that apk" - Tell us how to do this?
botteaap over 13 years

That will not recover the private key you'd need to sign the apk again.
Peter Knego over 13 years

Great answer. I never realized that if key is lost then app can not be updated. Must keep in mind to backup the key in secure place.
om252345 almost 12 years

Apk must be signed with same private key
Krishnabhadra over 11 years

What I would do normally is to store the keystore file in svn. Put a new folder named credential, along with trunk/tag/branches, and store the keystore file there. Also add a new .txt file indicating the keystore file. Keystore is as important as the source code. Once you lost it( or forgot the password) you are SCREWED..
Christopher Orr over 9 years

Please DO NOT check your keystore password (or any passwords for that matter) into source control, as @Krishnabhadra says. Keep the keystore and password separate, and the password secure.
Christopher Orr over 9 years

@sports They do warn you. Notice the big red Warning message: developer.android.com/tools/publishing/…
Christopher Orr over 9 years

@sports In any case, you can publish more than one app on the same developer account, so you don't need to pay again.
Admin over 9 years

What?! But it just told me my key was too old so i deleted it and created a new one now I get this!?
Christopher Orr about 9 years

@iwayneo The build system might have told you that your debug key was too old, but that's very unlikely to have happened with a release key, since Google Play should reject keys that expire before October 2033.
CularBytes about 9 years

I've tried the command you gave, for checking for debug (which I was actually searching for), but it returns an error that the jar contains signatures that do not include a timestamp. I created my apk using this thread: stackoverflow.com/questions/16622843/…
Christopher Orr about 9 years

@RageCompex Do you get no output and only an error? When I run that command, I also get a timestamp warning (not an error). So long as you get the X.509 output, that's all you need.
CularBytes about 9 years

Yes, I do get the X.509 output, so it is not a problem I guess? What about [CertPath not validated: Path does not chain with any of the trust anchors], not a problem eather? I do see my name at CN so I guess I properly signed it :)
Christopher Orr about 9 years

@RageCompex This is already answered in the "Check the signing keys used" section.
LS_ almost 8 years

you lost the private key and you were able to retrieve it this way? If the answer is yes, is it possible for you to link where to download the tool? And how do I open the app?
Gerry over 7 years

This is no longer true, you cannot upload a new apk if the signed cert has changed
Ajeet over 5 years

I had a mini heart attack today. I used these command lines to figure out the hidden Keystore. Thanks a lot, man! You saved me... Really :D
Upsilon42 over 5 years

Hmm, I've been spending 1 week, did everything possible. and it's time to say "WTF", but it's the only thing that helped. (I've also tried invalidate caches that didnt help..) Thanks
Boris Legovic over 5 years

This fixed the issue after going crazy for one hour
Infinite Loops almost 5 years

I don't see this is related.
Amit Sharma over 4 years

Is there anyone who solved this issue, becz i already done each & every step as per above answer but i can't update my app and google showing me same response like above question.
Arun over 4 years

Thanks a lot!. I accidentally generated a signed apk with different keystore file and credentials and uploaded it. Kept getting the same error even after uploading apk with correct keystore. After an hour of creating new releases with invalidate cache,android studio and PC restarts, this finally fixed it.
iHulk about 4 years

After lot of hit and trial, I come to this answer and magically it's worked for me, but still figuring out how!!
nathanfranke almost 4 years

This does not answer the question.
mesqueeb over 3 years

@rubycon can you clarify what is meant exactly with package name ?
Rubycon over 3 years

@mesqueeb it's about 'com.company.appname' part
Try2prog about 3 years

how could you do it on vscode? I think i have similar issue
Prajwal Kulkarni about 3 years

Works like a charm, and served my purpose. Thanks for the share.