Signing an APK with an upload key provided by Google Play

I'm trying to make sense of how to upload an app onto Google Play while using Google Play App Signing.

Here is what I did:

  1. Created an app
  2. Used keytool.exe to generate a key for that app
  3. Uploaded the app to Google Play
  4. Enrolled in the Google Play App Signing
  5. Try to upload the app again without success.

It complains that the certificate is not the certificate

Upload new APK to Production

Upload failed You uploaded an APK that is not signed with the upload certificate. You must use the same certificate. The upload certificate has fingerprint: [ SHA1: 0C:... ] and the certificate used to sign the APK that you uploaded have fingerprint: [ SHA1: 2D:... ]

After searching for a while. I find out how to put the certificated posted on my Google Play console in my keystore. Something like this:

keytool.exe -importcert -file upload.pem -keystore myapp-release-key.keystore

The certificate seems to be in. When I list the contents of the keystore, here's what I get:

keytool.exe -list -keystore trackcoachfull-release-key.keystore Enter keystore password:

Keystore type: JKS Keystore provider: SUN

Your keystore contains 2 entries

myappfull, May 18, 2017, PrivateKeyEntry, Certificate fingerprint (SHA1): 2D:... uploadkey, May 19, 2017, trustedCertEntry, Certificate fingerprint (SHA1): 0C:...

Now, where I'm blocked...

In Android Studio, I try to generate a signed APK with the uploadkey.

Build > Generate Signed APK Select the keystore above Enter the keystore password Select the uploadkey as the key alias I'm force to enter a key password.

Error in Android Studio:

Error:Execution failed for task ':app:packageFullRelease'. Failed to read key uploadkey from store "C:\Users\Admin\AndroidStudioProjects\keystores\myappfull-release-key.keystore": trusted certificate entries are not password-protected

My question is this:

How do you generate an APK signed with an upload key provided by Google Play?



I was able to sign my APK using Upload key provided by Google Play. Here are the steps I followed for a new app:

  1. Create a keystore and add a signing key using Android Studio
  2. Sign the app using the key created in (1)
  3. Upload the APK to Google Play
  4. Download "Upload certificate" from Google Play Console
  5. Add downloaded certificate to the keystore created in step (1) using command keytool.exe -importcert -file upload_cert.der -keystore <keystorefile>
  6. It should prompt that "Certificate already exists in keystore under alias . Do you still want to add it? [no]:"
  7. Type 'y' and press enter
  8. A confirmation message will appear
  9. For subsequent builds sign the app using the same process as in (2)

Important point to note here is that in step (6), the keytool import updates the original certificate with the one downloaded from Google Play.

The Short Answer:

You can't sign an APK with the upload certificate in the Google Play Console.

Hopefully this answer will prevent others from wasting as much time as I did trying to find a solution that doesn't exist.

The Long Answer:

The Google Play support article Manage your app signing keys has the information needed to understand this.

From the "Types of keys & important definitions" section:

  • Upload key (optional for existing apps): A new key you generate during your enrollment in the program. You will use the upload key to sign all future APKs prior to uploading them to the Play Console.
  • Private Key: For APK signatures, this is the key used to sign the APK. The private key must be kept secret.
  • Public Key: For APK signatures, this is the key used to verify the signature of an APK. The public key can be visible to everyone.
  • Certificate: A certificate contains a public key as well as some extra identifying information about who owns the key.

Then, note that in Google Play Console, you can only download an upload certificate (as opposed to an upload key). Based on the definitions above, we can conclude that:

  1. the upload key is a private key, since the upload key is used to sign APKs.
  2. the upload certificate does not contain a private key, because certificates in general contain public keys, not private keys (there are exceptions, sort of, but not in this case).
  3. Therefore, the upload certificate cannot be used to sign an APK, no matter what steps you take. It just doesn't contain the necessary information.

As further evidence, this other SO question (Android signing error: trusted certificate entries are not password-protected) addresses the same issue, however since it doesn't reference upload keys/certificates, it is easy to miss the implications for this question -- that nothing you can download from Google Play will solve this problem.

Claims to the Contrary

Although some people report it IS possible to sign your APK with your upload certificate downloaded from Google Play, I believe they are misunderstanding what has happened. Note that generally these reports indicate you must import the certificate into the original keystore used to generate the key. In fact, when they think they are importing the (private) key needed to sign APKs, they are actually merely importing the public key and overwriting the public half of the key-pair -- with the same public key that was exported in the certificate in the first place.

Had they attempted to sign the APK with that alias WITHOUT doing the import procedure, it would have worked just as well. (The import changed nothing for them.) This is why the import only seems to work when used with the original keystore, not with a new keystore.

So what can you do instead?

It depends on your situation. Since the goal is to sign an APK and successfully upload it to Google:

  1. At some point during setup of "app signing by Google Play", someone generated an upload key and registered it with Google. If you still have that (private) key in a keystore somewhere, that is exactly what you need to sign your APK.
  2. If you generated the upload key with some tool other than keytool and then imported it into your keystore, and you still have the original generated file, you could import the private key again into a different keystore, using whatever process was used the first time.
  3. If neither of the above are options, you can follow the instructions in the "Create a new upload key" section of the Manage your app signing keys article to generate a new upload key and have Google swap it in.

I think you must have generated your keystore like this from your "java\bin" folder:

keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000

When you want to update yout app you must have to use the same keystore that you have generated.

  1. Go to Build > Generate Signed APK.

  2. Select "Choose existing" and browse to your keystore path

  3. Enter "key store password"

  4. In key alias tap on "..." and check whether your key alias is same as the one you have provided while generating keystore

  5. If yes again provide "Key Password"

  6. Tap on "Next"

Let me know in which step you are getting the problem, so I can guide you accordingly.

Sometimes what happen is: A single keystore has two certificates and they are differentiated by alias name or password. Try to see the properties of both the entries of a keystore. I am sure any one is a valid key with a correct alias name. Use this command:

Keytool -list -keystore WeatherForecast.jks(Your Keystore)

Press enter when it prompts for password.

You will see two entries and the first word would be the alias for your keystore.

It worked for me and I think surely it will work for you.

I had to contact google and followed below instructions to generate new key and upload certificate.

The new upload key will be used to sign APKs that you upload to Play.

Here’s how to generate and register a new upload key:

  1. Follow the instructions in the Android Studio Help Center to generate a new key. It must be different from any previous keys. Alternatively, you can use the following command line to generate a new key: keytool -genkeypair -alias upload -keyalg RSA -keysize 2048 -validity 9125 -keystore keystore.jks

This key must be a 2048 bit RSA key and have 25-year validity.

2.Export the certificate for that key to PEM format: keytool -export -rfc -alias upload -file upload_certificate.pem -keystore keystore.jks

3.Reply to this email and attach the upload_certificate.pem file.

Need Your Help

Possible to default DateTime field to GETDATE() with Entity Framework Migrations?

entity-framework-4 ef-code-first ef-migrations

I added EntityFramework.Migrations (Beta 1) to an existing Code-First app that is going through some changes (for both migration capabilities and more fine-tuning of the tables I am generating from...