I have an app that is published to the Google Play store and I recently upgraded my expo sdk version from 28 to 39. When I uploaded the App Bundle for the new release I got an error saying that the upload certificates did not match. I initially tried following this user's advice (https://stackoverflow.com/a/59517306/9053902) but had no success. I eventually submitted a request for a key reset per the google support docs (https://support.google.com/googleplay/android-developer/answer/9842756#create)
After the key was reset I attempted to build and resubmit but got the same upload certificate mismatch error. So I ran "expo build:android -c". Now the error says the signing key is wrong. I have the original downloaded .jks file, keystore password, key alias, and key password so I attempted to rebuild the App Bundle by manually providing expo with the path to the .jks file but the signing error persists.
How can I view the contents of the .jks file to check the signing key values and what other steps can I take? Also, is the .pem file that I created for the key reset supposed to be used for anything?
https://support.google.com/googleplay/android-developer/answer/9842756
Request for new upload certificate
Fill up this form
https://support.google.com/googleplay/android-developer/contact/key
Generate Signed Bundle or APK
[new_key].der
Generate .pem and Upload
$ keytool -export -rfc -keystore [new_key].der -alias upload -file upload_certificate.pem
Wait for Google's email reply
It takes about 2 to 3 days to update to the new keystore once google verified it.
Related
I am trying to create a playstore release.
I've followed the guide to create an upload key and keystore, to the letter: https://developer.android.com/studio/publish/app-signing#generate-key
I have then generated a signed app bundle of my app with the upload key, exactly as stated here: https://developer.android.com/studio/publish/app-signing#sign_release
Which resulted in a file named: app-release.aab
Now, because this app is brand new, and has never been released before, there is no need to export the encrypted key and "opt in an existing app into Play App Signing" as I already opted in to this when I created the new app listing in the play console and, of course, I've never uploaded an APK signed with another key for this app listing before.
Next, I go to the play console and create a new production release. When I upload the app-release.aab file however, I see the following error message:
"The Android App Bundle was not signed."
Which is completely baffling.
As far as I can tell, I have followed the instructions to the letter, and I have attempted to do some research on google but I'm finding no answers.
Could anyone with experience of this process help me?
EDIT:
What I did not understand about the entire process, was that I am asked to generate the upload key locally but never actually upload the key to the google play console - how on earth does Google know that the app is signed with the upload key, if they've never seen the upload key? But, no where in the documentation of generating the upload key is it stated that I am supposed to do anything with the locally generated key other than use it to generate the signed app bundle locally, which is exactly what I have done.
EDIT 2:
Here are screenshots showing the process I am following to create the upload key and generate a signed bundle of my app with the upload key:
And then, rather oddly, the result of running keytool -printcert -jarfile app-release.aab from the directory where the bundle is:
You can verify if the app bundle you upload to Play is signed by running locally one of the following commands:
Using jarsigner:
jarsigner -verify app.aab
Using keytool:
keytool -list -printcert -jarfile app.aab
If it says the file is "verified" (or you see the certificate being printed when using keytool), then you AAB is indeed signed. If it is, make sure you upload the right file to Play Console, and if it still doesn't work, contact the developer support.
If it says the file is not verified/signed, then make sure you have selected a keystore in Android Studio when you generated the signed bundle and ensure the build succeeds.
If all else fails, do a full Clean Project and try again.
how on earth does Google know that the app is signed with the upload key, if they've never seen the upload key?
Google simply extracts the certificate from the first APK or AAB you upload and considers this the upload certificate. Every subsequent upload will have to be signed with the same key, but the first one can be signed with anything.
I tried building a release package that was set to 'debuggable true' to upload to my test-channel, to debug the release key hash and got this problem. I thought I had ruined something trying to get the key hash with keytool and openssl, like that I changed something that made it stop working, but it was just because I made the release debuggable in the build.gradle buildTypes. Just a helpful thought to those who comes here next in case they have the same problem.
I had to rebuild the project before signing it.
I was having a similar problem (just a few days ago).
I was able to resolve my problem (and I don't know why) by running the following command on my .jks file and then going through Android Studio and generating the signed app bundle again.
$ keytool -list -keystore 'fakeNmae.jks' -storepass
fake-password-same-one-i-used-in-android-studio
Use the command exactly as you see it except of course replace your .jks file name with the one above (make sure it is between single quotes) and then add your password after the -storepass command.
Hope it helps you too.
Here's the entry I posted here on SO about the problem.
Hi
So while publishing a new version of my App on the Play Store, I got an error which says that I have a new SHA1 fingerprint compared to the last release. So I realized my mistake and found that while making the .aab file using the expo build:android -t app-bundle command I pressed the Generate New Keystore button, now I am not able to fix it. Please someone help me.
This is the error
Your Android App Bundle is signed with the wrong key. Ensure that your App Bundle is
signed with the correct signing key and try again. Your app bundle is expected to be
signed with the certificate with fingerprint:
SHA1: CD:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:A7
but the certificate used to sign the app bundle that you uploaded has fingerprint:
SHA1: 0D:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:8A
The screenshot of the error
Here is my app.json code
The keystore may be versioned if it was committed as part of your project so simply reverting that change would restore the previous keystore for you to use.
Alternatively, you'd need to contact Google and go through the process of establishing your new keystore as the valid signing entity. You can reach out to Google via this form
You'll need to provide a certificate from your new keystore which you can generate with the following command:
keytool -export -rfc -alias prod -file upload_certificate.pem -keystore keystore.jks
I'm making an Android app using Expo. I download the upload certificate from Google Play Console. It's a .der file. I run:
keytool -importcert -file certificate.der -alias someAlias -keystore some.keystore
This creates a .keystore file of type .jks with 3 certificate fingerprints. The one which Google Play Console looks at during upload is the SHA1 fingerprint, which has 19 pairs of values such as 01:02:A1...
Using either expo build:android -t apk -c or expo build:android -t app-bundle -c to reset my keys and build an .apk or .aap, respectively, upon uploading to the Google Play Console, I receive an error that I haven't used the right key.
I get these errors:
.Apk error: You uploaded an APK that is not signed with the upload certificate. You must use the same certificate. The upload certificate has fingerprint: SHA1: 01:02:A1... - The fingerprint of my newly created .keystore according to keytool -list -v -keystore some.keystore; the error goes on to say - and the certificate used to sign the APK you uploaded has fingerprint:
SHA1: 98:97:96:... - an entirely different fingerprint.
.Aap error: Your Android App Bundle is signed with the wrong key. Ensure that your App Bundle is signed with the correct signing key and try again: SHA1: 55:66:77... - another completely different value.
I used the upload .der for the .apk version app build and the app signing .der for the .aap version app build, and both times the Google Play Console read a different value for the SHA1 fingerprint than the value which Keytool read for the same .keystore.
Switching keys, nor re-downloading, nor rebuilding had any affect, and keytool -list
always claim that the .keystore fingerprints match what the Google Play Console is asking for.
Is there something simple I'm missing? Any help appreciated.
I've answered a similar question in detail in How to use upload certificate to release an app update? but in short, you cannot use a certificate to sign an APK or App Bundle: the certificate only contains the public key while you need the private key to sign an APK or App Bundle.
Google does not have the private key so you can't download it from the Play Console. You need to use the same keystore that you used to sign your first APK you uploaded to the console, you cannot create a new one.
If you've lost that keystore, you need to contact the Play developer support and let them know, they'll give you instructions on how to reset it.
We have a few apps published in Google Play, all are signed with same keystore. Last year we switched to app bundles, enabled signing by Google Play. Everything works fine when signing and uploading bundle manually. Although when I tried uploading bundle to Google Play via fastlane it gives me an error:
Google Api Error: apkNotificationMessageKeyBundleSignedWithWrongKey: The Android App Bundle was signed with the wrong key. Found: SHA1:...., expected: SHA1:......
If I upload same .aab manually, everything is fine.
What should I do? I suppose something from
Google Play signing.
I don't want to break anything since I'm only a developer and not account owner. Can I generate new keystore without breaking existing?
Edit: on App Signing tab in Google console I can download upload_cert.der and deployment_cert.der
The verification of the signing key via the API or via the Play Console UI is the same, so you are likely not uploading the same file manually and via fastlane.
Make sure that the same keystore file (and same key alias) is used to sign the App Bundle in fastlane.
I realized that I didn't specify package_name parameter in fastlane supply command so it tried to upload bundle to a wrong app. Silly me.
For those who might be interested I contacted Google Support with this question and they suggested me to reset key for an app. But it wasn't necessary after all
you can’t recover your lost keystore but you can replace keystore on playstore, you just need to enable google play app signing on play store console You can Replace new Keystore certification on play store. than you can update your app,No need to Remove Your app from play Store You can Update Your app. it’s Possible now, After May 2017 you can Update your app if you lost your keystore or keystore password. you can update your app using new Keystore file please refer this blog
https://support.google.com/googleplay/android-developer/answer/7384423?hl=en
Follow the instructions in the Android Studio Help Center to generate a new key. It must be different from any previous keys. Alternatively, you can use the following command line to generate a new key: keytool -genkeypair -alias upload -keyalg RSA -keysize 2048 -validity 9125 -keystore keystore.jks
This key must be a 2048 bit RSA key and have 25-year validity.
2.Export the certificate for that key to PEM format: keytool -export -rfc -alias upload -file upload_certificate.pem -keystore keystore.jks
3.Reply to this email and attach the upload_certificate.pem file.
I lost my keystore (.jks) file, and I was lucky - I used App signing before.
Therefore, Google was able to help me and reset my key.
But what is the next step with the SHA1 google gave me by mail?
They gave me the instruction for generating an upload_certificate.pem file that I sent them by mail.
And then, Google's answer was:
Good news - I was able to register your new upload key, you would need to update your app to use the new upload key certificate:
SHA1:....
Now I try to upload the APK with the jks file I used to generate the PEM file, also with a newly created jks file. in Google play console I get:
Your Android App Bundle is signed with the wrong key. Ensure that your app bundle is signed with the correct signing key and try again
What is the next step?
Presumably you created a new upload key following the instructions under "Create an upload key". These are roughly:
generate an upload key and store it safely. This gives you a key with alias something like "upload" in a keystore called something like "upload-keystore.jks"
export your certificate in PEM format using a command like $ keytool -export -rfc -keystore upload-keystore.jks -alias upload -file upload_certificate.pem
If this is what you did, then you need to sign your app with the keystore you created in step 1 "upload-keystore.jks" using alias "upload"
The SHA1 they sent you is just a way of confirming you used the right keystore. If you are still using the keystore for the PEM you sent them, then if you print out the certificate keystore from your APK it should match that SHA1.
You can print the SHA1 of the certificate from your signed APK with the command
keytool -list -printcert -jarfile app.apk
This will tell you the SHA1 of the certificate (key/keystore) you have used to sign it.
After I tried everything that came in mind, including "Invalidate cache and restart" in Android studio, the solution that worked was Build->clean.
Thanks to Dave Hubbard's answer