I have this application which was made in 2015. I have updated that application and now I want to upload the updated version to play store. But unfortunately, it is giving me an error that the SHA1 key is different. I am attaching the image below. Play store console SS
Furthermore, the organization that I am working for, does not have any information about the key store password or Alias. There is literally no information about the previous version. Therefore, I am totally clueless how to update this application in google play store
Without SHA1 Key you can not generate another Signed APK to upload . You must need that key in order to generate new signed APK to Upload .
Google will not re-sign any of your existing or new APKs that are signed with the app signing key. This enables you to start testing your app bundle in the open, closed, or internal test tracks while you release your existing APK in production without Google Play making any changes to it.
This basically means that the you are trying to generate a signed apk using a different certificate than the one that was used to sign the original apk. If you cant get a hold of the hold certificate you will have to create a new one (what I think you have already done), generate a signed apk then publish it as a new app on the play store. You will have to un publish the old application though. Try using a slight change in the package name like a change from small letter to capital letter eg from "com.example.company" to "Com.example.company"
It is precisely this problem that caused Google Play to introduce Google Play App signing. If your app is opted in, then Google looks after your signing keys, and if you lose the information, then Google Play support can help you change the upload key.
However, if you are not opted in to Google Play app signing there is nothing you can do.
The best option is, as other people have said, unpublish the old app, create a new one, and this time opt in to Google Play App Signing so it doesn't happen again.
Related
My app curtently uses apk without storing sign key on Google servers. I want to create closed alpha test with new Flutter app version and app bundle. As far as I understand, I am forced to store key on Google servers. So, is it possibile to:
keep production version as apk in PlayStore
create new alpha version that uses app bundle and key is stored on Google servers
I want to keep my current key, I don't want Google to generate new one because first - key hash is used to configure some services like Firebase and Facebook login so it can't be changed, second alpha version needs to use the same key as stable production version.
Of course, curtently both app versions are the same package name and the samy signing key is used to sign release build. In the future, alpha version will be promoted as new stable (when testing finished).
I was unable to find any straightforward way to do what I want, especially Google always proposes to generate new signing key.
Any tips?
If you have an existing app, Google Play does not generate a new key when you enroll in Play Signing. You are prompted to give Google your existing key which it will use to sign the APKs it produces from the app bundle.
Note: I'm not sure where you have seen that Google "always proposes to generate a new signing key", a screenshot would be helpful to understand better where this is coming from. The only time Google would offer to create a new key is when you create a new app but you seem to suggest that you have an existing app, so this isn't it.
It seems that you could just enroll in Play Signing by giving your key to Google, then upload app bundles the same way you were uploading APKs before (in whichever release channel).
I am opting to use Google Play App Singing service for my app.
I created a keystore, and signed my release app bundle with it. I then create an Internal Testing release, and opted in to Play App Signing with a single click. Nothing more was asked of me in this regard.
Now I am confused, becuase everything I read in the docs says that you will be asked to provide an upload key for the app. I was not asked to provide this.
When I go to app signing page in the Release section, it does not give me the option to upload/create and upload keystore.
What exactly has happened? How I am enrolled in Play App Signing without have uploaded an upload keystore?
firstly you have to sign your aab/apk file with the given configuration for keystore. This allows you to continually maintain update and management rights for your app beyond release. also what you need to understand is google extracts the release key from the app bundle once you upload to console drive. however, in what you are doing, you are providing the key manually. Ill give you a run down of the keys as you seem to be a little green with this system:
The app signing key can never be changed for the lifetime of your app. Keep your app signing key secret, but you can share your app’s public certificate with others.
Upload key
The key you use to sign your app bundle or APK before you upload it on Google Play. Keep your upload key secret, but you can share your app’s public certificate with others. For security reasons, it’s a good idea to have app signing and upload keys that are different from each other.
You have to sign your apk/aab file with the keystore in the release configuration. Otherwise if you enrol in Play App Signing using your debug key, you will encounter problems in the future if your debug key resets and you will not be able to update your app.
Once you have signed the app bundle with the release key, it will get extracted by Google automatically when you upload it to the Google Play Console. You are providing the key automatically in the bundle you are uploading.
More information here: https://support.google.com/googleplay/android-developer/answer/9842756?hl=en-GB&visit_id=637418371461688084-2328838094&rd=1
I try to use signature level permission to share data between two apps in secure way. Unfortunately even if i use the same upload key for signing in both apps the Google Play changes their signature after uploading to the store. Because of that, my apps can't communicate.
How to sign in two apps with the same key/certificate if we use google play app signing?
I've made some research and I would like to explain here how Google Play App Signing works and how to use it with signature level permission.
First of all if we use Google Play App Signing we actually use two keys to sign in our app. First is Upload key and second is App signing key. Both are generated in the same way from Android Studio and we can use Upload Key from the one app as App singing key for the other app.
App signing key is stored in Google Play and after uploading it we don't have access to it. We have possibility to upload it when we enrol to Google Play App Signing for existing app or it can be generated by Google Play for new app and then we don't have access to it at all. We can say that App signing key is actually the real key which we use for distributing app for our users.
The whole mechanism looks like this:
Image source (Official app signing documentation)
As you can see on the image we use Upload Key to upload our app to Google Play and then Google Play removes our signature and is signing in our app with different key. It is useful because if we loose our upload key we will not loose possibility to upload our app (we can ask Google for using the new upload key). Moreover Google Play can now split our app into smaller parts and distribute it independently and every part will be signed in with our App Signing Key (Android App Bundles).
The disadvantage of this solution is that the app which we upload to the store has different signature that app which we download from Google Play.
It is very problematic especially if we use signature level permission in our app. Moreover it is also problem when we want to upload our app to different store than Google Play.
By using signature level permission we can share data between two apps in secure way (use case example) but there is one main condition - both apps have to have the same signature.
Even if we use the same Upload Key it doesn't mean our apps will have the same signatures because the keys which are used by Google Play can be different.
In practice it means that when you test release version of your app everything looks great but after uploading it to Google Play it doesn't work (this problem affects every feature which depends on app signature - facebook login, tamper-detection).
So, how to use the same key for two apps when we use Google Play App Signing?
When we create new app in Google Play and try to create first release to production then Google Play will ask:
And then under advanced options we can find:
After that both apps will have the same signature for our users.
Unfortunately if we will try to do it for app which is already published for our users (we can enrol to Google Play App Signing later) we don't have this option available and we can't use the same key.
What if we can't do it but we want to use secure data sharing between two apps?
We can verify signature which is not the same manually and try to prevent attack from the inside of our app which provides data. It is not as secure as first solution but more secure than doing nothing :)
As you found out, sharing the same upload key does not mean that the app signing key will be shared as well. However there is a way to do that when you first enroll in App Signing by Play: under the "Advanced" section in the enrollment card, there is an option to reuse the app signing key of another app already enrolled in App Signing.
You will need to create a new app however since there is today no way to change the app signing key.
This is documented on this page under "Opt in to app signing by Google Play" > "New apps".
Hope that helps,
As you know, after uploading an apk file to google play, you can choose to let Google signs your apk with another key, in order to prevent losing key file for an app. So, every time we upload an apk, it will be signed using this key. Now, this approach has a limitation, consider that you want to sign your apk with this key without uploading apk to google play each time.
So, the question is: Is it possible to download key file and sign my app locally? How? What will be the key password and alias password in this case?
No, it is not possible to download the private key that Google generated to sign your app.
The options I see for your use case are:
Create a new app on the Play Console for your new flavours, and ask to be signed with the same key as your other app. Even without publishing this app externally (e.g. keep it on a test track), Play would generate the APK which you could download immediately after.
Delete your app, and recreate it but this time, give Play the key you want your app to be signed with instead of letting Google generate it. It is possible since a couple of weeks ago.
Hope that helps.
I uploaded an app on google play but made it accidentally free. Now i want to upload the same app again and make it paid. How do i make that? When I try to upload the apk again, it says:
You uploaded an APK or Android App Bundle that is signed with a key that is also used to sign APKs that are delivered to users. Because you are enrolled in app signing by Google Play, you should sign your APK or Android App Bundle with a new key before you upload it.
How do I sign a new key (please explain this to a newbie, im not a programmer, I created an apk file with thinkable)
There are two things you need to be aware of:
First, no two apps in the store can have the same package name (i.e. unique identifier). In Thunkable, the package name is com.{username}.{appname}, so you will need to change either the username of the app name before uploading your new app.
Then, there is the question of the keystore (See "Keystores" section in Thunkable docs). It seems that you opted out of "Play Signing" for the first app you created, and now you opted in for your second app, but used the same cryptographic key for both apps. This can lead to security issues when you use the same key for two different purposes (simplifying a bit, sorry). Thunkable unfortunately does not seem to support generating new keystores, so you have two options: 1) Create a new account with Thunkable (which should generate a new keystore), or 2) Opt out of "App Signing by Play" when you're prompted in the Play Console when you upload your app.
Hope that helps! Good luck :)