ChatGPT解决这个技术问题 Extra ChatGPT

Signing an APK with an upload key provided by Google Play

I'm trying to make sense of how to upload an app onto Google Play while using Google Play App Signing.

Here is what I did:

Created an app Used keytool.exe to generate a key for that app Uploaded the app to Google Play Enrolled in the Google Play App Signing Try to upload the app again without success.

It complains that the certificate is not the certificate

Upload new APK to Production Upload failed You uploaded an APK that is not signed with the upload certificate. You must use the same certificate. The upload certificate has fingerprint: [ SHA1: 0C:... ] and the certificate used to sign the APK that you uploaded have fingerprint: [ SHA1: 2D:... ]

After searching for a while. I find out how to put the certificated posted on my Google Play console in my keystore. Something like this:

keytool.exe -importcert -file upload.pem -keystore myapp-release-key.keystore

The certificate seems to be in. When I list the contents of the keystore, here's what I get:

keytool.exe -list -keystore trackcoachfull-release-key.keystore Enter keystore password:

Keystore type: JKS Keystore provider: SUN

Your keystore contains 2 entries

myappfull, May 18, 2017, PrivateKeyEntry, Certificate fingerprint (SHA1): 2D:... uploadkey, May 19, 2017, trustedCertEntry, Certificate fingerprint (SHA1): 0C:...

Now, where I'm blocked...

In Android Studio, I try to generate a signed APK with the uploadkey.

Build > Generate Signed APK Select the keystore above Enter the keystore password Select the uploadkey as the key alias I'm force to enter a key password.

Error in Android Studio:

Error:Execution failed for task ':app:packageFullRelease'. com.android.ide.common.signing.KeytoolException: Failed to read key uploadkey from store "C:\Users\Admin\AndroidStudioProjects\keystores\myappfull-release-key.keystore": trusted certificate entries are not password-protected

My question is this:

How do you generate an APK signed with an upload key provided by Google Play?

Thanks

I get exactly the same error message. The only difference is that I tried to use the deployment.pem to upload a Beta APK. Any progress here?
Somehow this question help me solve my problem. I'm searching for how to sign apk with the upload key from Play Store Console, and I find the solution from your question, by importing the certificate to my keystore. When I'm trying to import them it seem that the certificate is already exists in my first alias. So I just try build the apk using the same keystore but using my first alias and it work. So maybe you should just use your first alias myappfull when building your apk.
I am also facing same issue ,I have already my app published in play store an year back using .key store and when i was about to release app for alpha testing google used me to upload certificate and following steps I signed app using .jks file.I was using map API and now its not showing .what is work around.
are you able to generate an APK signed from android studio ?

A
Ayaz Aslam

I was able to sign my APK using Upload key provided by Google Play. Here are the steps I followed for a new app:

Create a keystore and add a signing key using Android Studio Sign the app using the key created in (1) Upload the APK to Google Play Download "Upload certificate" from Google Play Console Add downloaded certificate to the keystore created in step (1) using command keytool.exe -importcert -file upload_cert.der -keystore It should prompt that "Certificate already exists in keystore under alias . Do you still want to add it? [no]:" Type 'y' and press enter A confirmation message will appear For subsequent builds sign the app using the same process as in (2)

Important point to note here is that in step (6), the keytool import updates the original certificate with the one downloaded from Google Play.

on 5. keytool error: java.lang.Exception: Public keys in reply and keystore don't match
I followed the -importcert process but all that was added is the alias within the upload_cert.der and not the SHA1 ref. Is this something I can fix ?
This looks like an important part of the puzzle. The key difference here is that keytool is importing the certificate which is what we're all trying to do. I was able to successfully generate the keystore with this. But, when I sign my APK with the keystore, the fingerprint is still wrong and I get the same issue mentioned above.
By updates the original certificate, do you mean it contains 2 entries by adding the old certificate or just over writes it??
If using Android Studio > Generate Signed APK make sure to check Signature Versions: V1 and V2
z
zacronos

The Short Answer:

You can't sign an APK with the upload certificate in the Google Play Console.

Hopefully this answer will prevent others from wasting as much time as I did trying to find a solution that doesn't exist.

The Long Answer:

The Google Play support article Manage your app signing keys has the information needed to understand this.

From the "Types of keys & important definitions" section:

Upload key (optional for existing apps): A new key you generate during your enrollment in the program. You will use the upload key to sign all future APKs prior to uploading them to the Play Console. Private Key: For APK signatures, this is the key used to sign the APK. The private key must be kept secret. Public Key: For APK signatures, this is the key used to verify the signature of an APK. The public key can be visible to everyone. Certificate: A certificate contains a public key as well as some extra identifying information about who owns the key.

Then, note that in Google Play Console, you can only download an upload certificate (as opposed to an upload key). Based on the definitions above, we can conclude that:

the upload key is a private key, since the upload key is used to sign APKs. the upload certificate does not contain a private key, because certificates in general contain public keys, not private keys (there are exceptions, sort of, but not in this case). Therefore, the upload certificate cannot be used to sign an APK, no matter what steps you take. It just doesn't contain the necessary information.

As further evidence, this other SO question (Android signing error: trusted certificate entries are not password-protected) addresses the same issue, however since it doesn't reference upload keys/certificates, it is easy to miss the implications for this question -- that nothing you can download from Google Play will solve this problem.

Claims to the Contrary

Although some people report it IS possible to sign your APK with your upload certificate downloaded from Google Play, I believe they are misunderstanding what has happened. Note that generally these reports indicate you must import the certificate into the original keystore used to generate the key. In fact, when they think they are importing the (private) key needed to sign APKs, they are actually merely importing the public key and overwriting the public half of the key-pair -- with the same public key that was exported in the certificate in the first place.

Had they attempted to sign the APK with that alias WITHOUT doing the import procedure, it would have worked just as well. (The import changed nothing for them.) This is why the import only seems to work when used with the original keystore, not with a new keystore.

So what can you do instead?

It depends on your situation. Since the goal is to sign an APK and successfully upload it to Google:

At some point during setup of "app signing by Google Play", someone generated an upload key and registered it with Google. If you still have that (private) key in a keystore somewhere, that is exactly what you need to sign your APK. If you generated the upload key with some tool other than keytool and then imported it into your keystore, and you still have the original generated file, you could import the private key again into a different keystore, using whatever process was used the first time. If neither of the above are options, you can follow the instructions in the "Create a new upload key" section of the Manage your app signing keys article to generate a new upload key and have Google swap it in.

"the upload key is a private key, since the upload key is used to sign APKs." Not able to understand the steps for the above sentences.
@VivekPratapSingh That part is just an explanation of why it is impossible to do what the OP is trying to do. If you want to skip ahead to steps to follow, you can go to the "So what can you do instead?" section.
As long as you specify the same name as your existing keystone file, the information is added to the keystore. This is the critical part to get this to work.
@JamesWestgate The information (the upload certificate) isn't really being added to the keystore though -- importing the certificate with the same alias just overwrites the public key in the keystore with the public key from the certificate, but since the certificate was created from the keystore in the first place, it's actually the exact same value, and the import changes nothing. The assumption that it is possible to sign an APK with the upload certificate in the Google Play Console is based on an incorrect understanding of how the keys and certificates are supposed to work.
Hi Zacronos. Luckily I created a backup of the old keystore, so I can look at the two versions of this file. The new one has two keys, the old one one. Although these keys both have the same fingerprint? To be precise, this process has added an entry of the type 'Trusted Certificate Entry' So what gives?
P
Patrick R

I think you must have generated your keystore like this from your "java\bin" folder: 

keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000

When you want to update yout app you must have to use the same keystore that you have generated.

Go to Build > Generate Signed APK. Select "Choose existing" and browse to your keystore path Enter "key store password" In key alias tap on "..." and check whether your key alias is same as the one you have provided while generating keystore If yes again provide "Key Password" Tap on "Next"

Let me know in which step you are getting the problem, so I can guide you accordingly.

Ok, but how is this related to the process described in the question? There is already a certificate/key available (upload.pem) and converted to a keystore. The problem occurs on signing the APK using the generated keystore.
Yes as already mentioned, if you follow all steps, it will cover that scenario as well, see #4, where it is clearly stated that if Keystore is wrong, then key alias will be different. So further signed APK will not be same as uploaded. Let me know if you need more information on this.
Well, I ended up to disable Google Play App Signing for the moment and did it the "old" way with generating a keystore file and certificate locally for the first upload (from here: developer.android.com/studio/publish/app-signing.html). Interestingly, after that I got the new options and instructions, including the PEPK tool, at the console under App Signing. Maybe it is just working if you do the first upload with the self-generated certificate? Still not sure.
It seems that you area generating new keystore for updated APK, if that keystore is different than that you used while uploading app to the store before, than it won't work.
It was the very first APK upload and keystore. I was not able to get it to work with Google Play App Signing so I switched back to the "old" style. For the next upload I will use the same keystore.
R
Rahim Dastar

Sometimes what happen is: A single keystore has two certificates and they are differentiated by alias name or password. Try to see the properties of both the entries of a keystore. I am sure any one is a valid key with a correct alias name. Use this command:

Keytool -list -keystore WeatherForecast.jks(Your Keystore)

Press enter when it prompts for password.

You will see two entries and the first word would be the alias for your keystore.

It worked for me and I think surely it will work for you.

M
Manoj Alwis

I had to contact google and followed below instructions to generate new key and upload certificate.

The new upload key will be used to sign APKs that you upload to Play.

Here’s how to generate and register a new upload key:

Follow the instructions in the Android Studio Help Center to generate a new key. It must be different from any previous keys. Alternatively, you can use the following command line to generate a new key: keytool -genkeypair -alias upload -keyalg RSA -keysize 2048 -validity 9125 -keystore keystore.jks

This key must be a 2048 bit RSA key and have 25-year validity.

2.Export the certificate for that key to PEM format: keytool -export -rfc -alias upload -file upload_certificate.pem -keystore keystore.jks

3.Reply to this email and attach the upload_certificate.pem file.

关注公众号,不定期副业成功案例分享
Follow WeChat

Success story sharing

Want to stay one step ahead of the latest teleworks?

Subscribe Now

HuntsBot,a one-stop outsourcing task, remote job, product ideas sharing and subscription platform, which supports DingTalk, Lark, WeCom, Email and Telegram robot subscription. The platform will push outsourcing task requirements, remote work opportunities, product ideas to every subscribed user with timely, stable and reliable.

简体中文 English

Platform

Support

Links

Contact US

Any questions or suggestions during use, you can contact us in the following ways:

Email: huntsbot@xinbeitime.com

Copyright© 2022-2023 www.huntsbot.com 浙ICP备2022000860号-4 All Rights Reserved.