I'm making an Android app using Expo. I download the upload certificate from Google Play Console. It's a .der file. I run:
keytool -importcert -file certificate.der -alias someAlias -keystore some.keystore
This creates a .keystore file of type .jks with 3 certificate fingerprints. The one which Google Play Console looks at during upload is the SHA1 fingerprint, which has 19 pairs of values such as 01:02:A1...
Using either expo build:android -t apk -c or expo build:android -t app-bundle -c to reset my keys and build an .apk or .aap, respectively, upon uploading to the Google Play Console, I receive an error that I haven't used the right key.
I get these errors:
.Apk error: You uploaded an APK that is not signed with the upload certificate. You must use the same certificate. The upload certificate has fingerprint: SHA1: 01:02:A1... - The fingerprint of my newly created .keystore according to keytool -list -v -keystore some.keystore; the error goes on to say - and the certificate used to sign the APK you uploaded has fingerprint:
SHA1: 98:97:96:... - an entirely different fingerprint.
.Aap error: Your Android App Bundle is signed with the wrong key. Ensure that your App Bundle is signed with the correct signing key and try again: SHA1: 55:66:77... - another completely different value.
I used the upload .der for the .apk version app build and the app signing .der for the .aap version app build, and both times the Google Play Console read a different value for the SHA1 fingerprint than the value which Keytool read for the same .keystore.
Switching keys, nor re-downloading, nor rebuilding had any affect, and keytool -list
always claim that the .keystore fingerprints match what the Google Play Console is asking for.
Is there something simple I'm missing? Any help appreciated.
I've answered a similar question in detail in How to use upload certificate to release an app update? but in short, you cannot use a certificate to sign an APK or App Bundle: the certificate only contains the public key while you need the private key to sign an APK or App Bundle.
Google does not have the private key so you can't download it from the Play Console. You need to use the same keystore that you used to sign your first APK you uploaded to the console, you cannot create a new one.
If you've lost that keystore, you need to contact the Play developer support and let them know, they'll give you instructions on how to reset it.
Related
Hi
So while publishing a new version of my App on the Play Store, I got an error which says that I have a new SHA1 fingerprint compared to the last release. So I realized my mistake and found that while making the .aab file using the expo build:android -t app-bundle command I pressed the Generate New Keystore button, now I am not able to fix it. Please someone help me.
This is the error
Your Android App Bundle is signed with the wrong key. Ensure that your App Bundle is
signed with the correct signing key and try again. Your app bundle is expected to be
signed with the certificate with fingerprint:
SHA1: CD:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:A7
but the certificate used to sign the app bundle that you uploaded has fingerprint:
SHA1: 0D:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:8A
The screenshot of the error
Here is my app.json code
The keystore may be versioned if it was committed as part of your project so simply reverting that change would restore the previous keystore for you to use.
Alternatively, you'd need to contact Google and go through the process of establishing your new keystore as the valid signing entity. You can reach out to Google via this form
You'll need to provide a certificate from your new keystore which you can generate with the following command:
keytool -export -rfc -alias prod -file upload_certificate.pem -keystore keystore.jks
I have an app that is published to the Google Play store and I recently upgraded my expo sdk version from 28 to 39. When I uploaded the App Bundle for the new release I got an error saying that the upload certificates did not match. I initially tried following this user's advice (https://stackoverflow.com/a/59517306/9053902) but had no success. I eventually submitted a request for a key reset per the google support docs (https://support.google.com/googleplay/android-developer/answer/9842756#create)
After the key was reset I attempted to build and resubmit but got the same upload certificate mismatch error. So I ran "expo build:android -c". Now the error says the signing key is wrong. I have the original downloaded .jks file, keystore password, key alias, and key password so I attempted to rebuild the App Bundle by manually providing expo with the path to the .jks file but the signing error persists.
How can I view the contents of the .jks file to check the signing key values and what other steps can I take? Also, is the .pem file that I created for the key reset supposed to be used for anything?
https://support.google.com/googleplay/android-developer/answer/9842756
Request for new upload certificate
Fill up this form
https://support.google.com/googleplay/android-developer/contact/key
Generate Signed Bundle or APK
[new_key].der
Generate .pem and Upload
$ keytool -export -rfc -keystore [new_key].der -alias upload -file upload_certificate.pem
Wait for Google's email reply
It takes about 2 to 3 days to update to the new keystore once google verified it.
We have a few apps published in Google Play, all are signed with same keystore. Last year we switched to app bundles, enabled signing by Google Play. Everything works fine when signing and uploading bundle manually. Although when I tried uploading bundle to Google Play via fastlane it gives me an error:
Google Api Error: apkNotificationMessageKeyBundleSignedWithWrongKey: The Android App Bundle was signed with the wrong key. Found: SHA1:...., expected: SHA1:......
If I upload same .aab manually, everything is fine.
What should I do? I suppose something from
Google Play signing.
I don't want to break anything since I'm only a developer and not account owner. Can I generate new keystore without breaking existing?
Edit: on App Signing tab in Google console I can download upload_cert.der and deployment_cert.der
The verification of the signing key via the API or via the Play Console UI is the same, so you are likely not uploading the same file manually and via fastlane.
Make sure that the same keystore file (and same key alias) is used to sign the App Bundle in fastlane.
I realized that I didn't specify package_name parameter in fastlane supply command so it tried to upload bundle to a wrong app. Silly me.
For those who might be interested I contacted Google Support with this question and they suggested me to reset key for an app. But it wasn't necessary after all
you can’t recover your lost keystore but you can replace keystore on playstore, you just need to enable google play app signing on play store console You can Replace new Keystore certification on play store. than you can update your app,No need to Remove Your app from play Store You can Update Your app. it’s Possible now, After May 2017 you can Update your app if you lost your keystore or keystore password. you can update your app using new Keystore file please refer this blog
https://support.google.com/googleplay/android-developer/answer/7384423?hl=en
Follow the instructions in the Android Studio Help Center to generate a new key. It must be different from any previous keys. Alternatively, you can use the following command line to generate a new key: keytool -genkeypair -alias upload -keyalg RSA -keysize 2048 -validity 9125 -keystore keystore.jks
This key must be a 2048 bit RSA key and have 25-year validity.
2.Export the certificate for that key to PEM format: keytool -export -rfc -alias upload -file upload_certificate.pem -keystore keystore.jks
3.Reply to this email and attach the upload_certificate.pem file.
My user cannot login using google sign in after downloading my app. At first I believe its sha1 problem, so I created one for release using keytool with my keystore.
What I've done:
Copied the sha1 to my firebase project setting
Downloaded the googlejson file, put it in my project.
Generate signed apk using the same keystore.
Currently I think I have two sha1 fingerprint certificate listed in my firebase project setting, debug and release version.
The weird thing is I can successfully login by running the apk-release.apk from generate signed apk which I directly copied from my pc to my phone. ( I uninstalled the old and install fresh the app). That is the same apk I uploaded to the google play console for public. I don't understand why I get different result.
I finally figured it out, for those who have this problem:
i have to get the SHA1 genereated from google play console. its on the Release Management --> App Signing.
if you use firebase, just add that SHA1 to your project setting
keytool -list -v -keystore {keystore_name} -alias {alias_name}
Pass your project's keystore-name and alias-name and get SHA1 key. Create credentials using that SHA1.
I tried to update my app at play Store but received the following msg
Upload failed
You uploaded an APK that is signed with a differentcertificate to your previous APKs.
You must use the same certificate.
Your existing APKs are signed with the certificate(s) with
fingerprint(s):
I've do some search here and google. Results are mainly talking about using wrong keystore, key invalid or key is outdated.
So, I do the following
Download the published apk from google play console
keytool -list -printcert -jarfile published.apk
keytool -list -keystore /xxx/xxx/xxx.keystore
Potential problem
1. Using wrong keystore / key
2. Key expired
Fingerprint from published.apk and the xxx.keystore are match
Valid date of apk till 2044
Both potential problem 1 and 2 should not be a problem now.
Any idea? Am I missing something?