Geek Answers Handbook

Signing an APK using a download key provided by Google Play

I'm trying to figure out how to download an application on Google Play using a Google Play subscription.

Here is what I did:

  • Application created
  • Used by keytool.exe to generate a key for this application.
  • App loaded on Google Play
  • Registered in Google Play App Signatures
  • Try downloading the application again without success.

He complains that the certificate is not a certificate

Download the new APK in Production

Download Error You downloaded an APK that is not signed with a download certificate. You must use the same certificate. The download certificate has a fingerprint: [SHA1: 0C: ...] and the certificate used to sign the APK you downloaded has a fingerprint: [SHA1: 2D: ...]

After searching for a while. I’ll learn how to host a certified version hosted on the Google Play console in my keystore. Something like that:

keytool.exe -importcert -file upload.pem -keystore myapp-release-key.keystore

It seems that the certificate is located. When I list the contents of the keystore, this is what I get:

keytool.exe -list -keystore trackcoachfull-release-key.keystore Enter your keystore password:

Frame Type: JKS Key Supplier: SUN

Your keystore contains 2 entries

myappfull, May 18, 2017, PrivateKeyEntry, Fingerprint Certificate (SHA1): 2D: ... uploadkey, May 19, 2017, trustedCertEntry, Certificate fingerprint (SHA1): 0C: ...

Now that I'm locked ...

In Android Studio, I am trying to generate a signed APK using uploadkey.

Build> Generate Signed APK Select a keystore above Enter a keystore password Select uploadkey as a key alias I can enter a key password.

Error in Android Studio:

Error: execution completed for task ': app: packageFullRelease'.

com.android.ide.common.signing.KeytoolException: Failed to read key download button from repository "C: \ Users \ Admin \ AndroidStudioProjects \ keystore \ myappfull-release-key.keystore": trusted certificate entries are not password protected

My question is:

How do you create an APK signed with a download key provided by Google Play?

thanks

+42
android google-play apk keytool android-app-signing
source share
5 answers

I was able to sign the APK using the download key provided by Google Play. Below are the steps that I followed for the new application:

  • Create a keystore and add a signature key using Android Studio
  • Sign the application using the key created in (1)
  • Download the APK on Google Play.
  • Download "Download Certificate" from the Google Play console.
  • Add the downloaded certificate to the keystore created in step (1) using the command keytool.exe -importcert -file upload_cert.der -keystore <keystorefile>
  • You should indicate that "the certificate already exists in the keystore under an alias. Do you still want to add it? [No]:"
  • Type 'y' and press enter
  • A confirmation message appears.
  • For subsequent builds, sign the application using the same process as in (2)

It is important to note that in step (6), keytool import updates the original certificate from the one downloaded from Google Play.

+49
source share

Short answer:

You cannot sign an APK with a download certificate in the Google Play console.

I hope this answer does not allow others to spend as much time as I tried to find a solution that does not exist.

Long answer:

The Google Play support article Managing your app’s signature keys contains the information you need to understand this.

From the section " Key types and important definitions ":

  • Download key (optional for existing applications) : the new key that you generate when registering for the program. You will use the download key to sign all future APK files before downloading them to the Play Console.
  • Private Key : For APK signatures, this is the key used to sign the APK. The private key must be kept secret.
  • Public Key : For APK signatures, this is the key used to verify the APK signature. The public key can be seen by everyone.
  • Certificate : The certificate contains a public key, as well as some additional information about who owns the key.

Then note that in the Google Play console, you can only upload a download certificate (as opposed to a download key ). Based on the above definitions, we can conclude that:

  1. The download key is the private key because the download key is used to sign the APK.
  2. the boot certificate does not contain a private key , because certificates usually contain public keys, not private keys (there are exceptions, in some ways, but not in this case).
  3. Therefore, the download certificate cannot be used to sign the APK , no matter what steps you take. It simply does not contain the necessary information.

As another piece of evidence, this other SO question (Android signature error: trusted certificate entries are not password protected) addresses the same issue, however, since it does not refer to keys / certificates of download, it’s easy to overlook the consequences of this question - that you don’t can’t download from Google Play, will solve this problem.

Claims the other way around

Although some people report that you can sign your APK using a download certificate downloaded from Google Play, I believe that they misunderstand what happened. Please note that, as a rule, these reports indicate that you should import the certificate into the original keystore used to generate the key. In fact, when they think that they are importing the (private) key needed to sign the APK, they actually just import the public key and overwrite the public half of the key pair - with the same public key that was exported in the certificate. at the first place.

If they tried to sign an APK with this alias WITHOUT the import procedure, this would work just as well. (The import did not change anything for them.) Therefore, it seems that the import only works when used with the original keystore, and not with the new keystore.

So what can you do instead?

It depends on your situation. Since the goal is to sign the APK and successfully upload it to Google:

  1. At some point during the setup of "signing the application on Google Play", someone generated a download key and registered it with Google. If you still have this (private) key in the keystore, this is exactly what you need to sign your APK.
  2. If you generated the boot key using a tool other than keytool and then imported it into the keystore, and you still have the source file generated, you can import the private key into another keystore again using the process that was used for the first time.
  3. If none of the above options apply, you can follow the instructions in the "Creating a New Download Key" section of the " Application Signature Key Management " article to generate a new download key and ask Google to replace it.
+20
source share

I think that you must have created your keystore like this from the java \ bin folder:

 keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000

If you want to update the yout application, you will have to use the same keystore you created.

  • Go to Build> Generate Signed APK.

  • Select "Select Existing" and go to the path to the keystore

  • Enter "keystore password"

  • In the key alias, click "..." and check if your key alias matches the one you provided when creating the keystore

  • If yes, specify "Key Password" again

  • Click "Next"

Let me know at what stage you are getting the problem, so I can guide you accordingly.

+3
source share

Sometimes the following happens: one keystore has two certificates, which differ by alias or password. Try to see the properties of both keystore entries. I am sure that anyone is a valid key with the correct alias. Use this command:

Keytool -list - WeatherForecast.jks key store (your key store)

Press enter when it asks for a password.

You will see two entries, and the first word will be an alias for your keystore.

It worked for me, and I think it will work for you.

+1
source share

I had to contact Google and following the instructions below to generate a new key and upload a certificate.

The new download key will be used to sign the APKs that you upload to Play.

Here's how to generate and register a new boot key:

  1. Follow the instructions in the Android Studio help center to create a new key. It must be different from any previous keys. Alternatively, you can use the following command line to generate a new key: keytool -genkeypair -alias download -keyalg RSA -keysize 2048 -validity 9125 -keystore keystore.jks

This key must be a 2048-bit RSA key and have a validity period of 25 years.

2. Export the certificate for this key to the PEM format: keytool -export -rfc -alias upload -file upload_certificate.pem -keystore keystore.jks

3. Reply to this email and attach the upload_certificate.pem file.

0
source share

More articles:


All Articles