I uploaded an app on google play but made it accidentally free. Now i want to upload the same app again and make it paid. How do i make that? When I try to upload the apk again, it says:
You uploaded an APK or Android App Bundle that is signed with a key that is also used to sign APKs that are delivered to users. Because you are enrolled in app signing by Google Play, you should sign your APK or Android App Bundle with a new key before you upload it.
How do I sign a new key (please explain this to a newbie, im not a programmer, I created an apk file with thinkable)
There are two things you need to be aware of:
First, no two apps in the store can have the same package name (i.e. unique identifier). In Thunkable, the package name is com.{username}.{appname}, so you will need to change either the username of the app name before uploading your new app.
Then, there is the question of the keystore (See "Keystores" section in Thunkable docs). It seems that you opted out of "Play Signing" for the first app you created, and now you opted in for your second app, but used the same cryptographic key for both apps. This can lead to security issues when you use the same key for two different purposes (simplifying a bit, sorry). Thunkable unfortunately does not seem to support generating new keystores, so you have two options: 1) Create a new account with Thunkable (which should generate a new keystore), or 2) Opt out of "App Signing by Play" when you're prompted in the Play Console when you upload your app.
Hope that helps! Good luck :)
Related
I try to use signature level permission to share data between two apps in secure way. Unfortunately even if i use the same upload key for signing in both apps the Google Play changes their signature after uploading to the store. Because of that, my apps can't communicate.
How to sign in two apps with the same key/certificate if we use google play app signing?
I've made some research and I would like to explain here how Google Play App Signing works and how to use it with signature level permission.
First of all if we use Google Play App Signing we actually use two keys to sign in our app. First is Upload key and second is App signing key. Both are generated in the same way from Android Studio and we can use Upload Key from the one app as App singing key for the other app.
App signing key is stored in Google Play and after uploading it we don't have access to it. We have possibility to upload it when we enrol to Google Play App Signing for existing app or it can be generated by Google Play for new app and then we don't have access to it at all. We can say that App signing key is actually the real key which we use for distributing app for our users.
The whole mechanism looks like this:
Image source (Official app signing documentation)
As you can see on the image we use Upload Key to upload our app to Google Play and then Google Play removes our signature and is signing in our app with different key. It is useful because if we loose our upload key we will not loose possibility to upload our app (we can ask Google for using the new upload key). Moreover Google Play can now split our app into smaller parts and distribute it independently and every part will be signed in with our App Signing Key (Android App Bundles).
The disadvantage of this solution is that the app which we upload to the store has different signature that app which we download from Google Play.
It is very problematic especially if we use signature level permission in our app. Moreover it is also problem when we want to upload our app to different store than Google Play.
By using signature level permission we can share data between two apps in secure way (use case example) but there is one main condition - both apps have to have the same signature.
Even if we use the same Upload Key it doesn't mean our apps will have the same signatures because the keys which are used by Google Play can be different.
In practice it means that when you test release version of your app everything looks great but after uploading it to Google Play it doesn't work (this problem affects every feature which depends on app signature - facebook login, tamper-detection).
So, how to use the same key for two apps when we use Google Play App Signing?
When we create new app in Google Play and try to create first release to production then Google Play will ask:
And then under advanced options we can find:
After that both apps will have the same signature for our users.
Unfortunately if we will try to do it for app which is already published for our users (we can enrol to Google Play App Signing later) we don't have this option available and we can't use the same key.
What if we can't do it but we want to use secure data sharing between two apps?
We can verify signature which is not the same manually and try to prevent attack from the inside of our app which provides data. It is not as secure as first solution but more secure than doing nothing :)
As you found out, sharing the same upload key does not mean that the app signing key will be shared as well. However there is a way to do that when you first enroll in App Signing by Play: under the "Advanced" section in the enrollment card, there is an option to reuse the app signing key of another app already enrolled in App Signing.
You will need to create a new app however since there is today no way to change the app signing key.
This is documented on this page under "Opt in to app signing by Google Play" > "New apps".
Hope that helps,
As you know, after uploading an apk file to google play, you can choose to let Google signs your apk with another key, in order to prevent losing key file for an app. So, every time we upload an apk, it will be signed using this key. Now, this approach has a limitation, consider that you want to sign your apk with this key without uploading apk to google play each time.
So, the question is: Is it possible to download key file and sign my app locally? How? What will be the key password and alias password in this case?
No, it is not possible to download the private key that Google generated to sign your app.
The options I see for your use case are:
Create a new app on the Play Console for your new flavours, and ask to be signed with the same key as your other app. Even without publishing this app externally (e.g. keep it on a test track), Play would generate the APK which you could download immediately after.
Delete your app, and recreate it but this time, give Play the key you want your app to be signed with instead of letting Google generate it. It is possible since a couple of weeks ago.
Hope that helps.
I have this application which was made in 2015. I have updated that application and now I want to upload the updated version to play store. But unfortunately, it is giving me an error that the SHA1 key is different. I am attaching the image below. Play store console SS
Furthermore, the organization that I am working for, does not have any information about the key store password or Alias. There is literally no information about the previous version. Therefore, I am totally clueless how to update this application in google play store
Without SHA1 Key you can not generate another Signed APK to upload . You must need that key in order to generate new signed APK to Upload .
Google will not re-sign any of your existing or new APKs that are signed with the app signing key. This enables you to start testing your app bundle in the open, closed, or internal test tracks while you release your existing APK in production without Google Play making any changes to it.
This basically means that the you are trying to generate a signed apk using a different certificate than the one that was used to sign the original apk. If you cant get a hold of the hold certificate you will have to create a new one (what I think you have already done), generate a signed apk then publish it as a new app on the play store. You will have to un publish the old application though. Try using a slight change in the package name like a change from small letter to capital letter eg from "com.example.company" to "Com.example.company"
It is precisely this problem that caused Google Play to introduce Google Play App signing. If your app is opted in, then Google looks after your signing keys, and if you lose the information, then Google Play support can help you change the upload key.
However, if you are not opted in to Google Play app signing there is nothing you can do.
The best option is, as other people have said, unpublish the old app, create a new one, and this time opt in to Google Play App Signing so it doesn't happen again.
I have a little issue where I created an Android release build from my Ionic project. I've signed the app in the platform/android/build/outputs/apk folder, so my keystore file also was there. Then I noticed a bug, rebuild the app but I figured the folder gets cleared at each build. As a result I don't have my keystore file anymore and I'm unable to add an update to the Play Store. I've unpublished the previous version but now I'm unable to use my app id as it is used by the unpublished version.
So right now I see three options:
Is there a way to change the app id from the unpublished app? (all related info I've read says no)
Is there an alternative way to use the same app id? (I would not like to have differente app ids for iOS and Android)
As a final option I could use com.mydomain.app as the iOS id and use e.g. com.mydomain.android (and I've moved my signing process to a different folder outside the Ionic project) but is there a way to keep this release-friendly (meaning, is there a way to specify platform specific app ids in Ionic config.xml or other file)
How do you guys handle stuff like this? I suppose I'm not the first random guy this has happened to.
Edit: I found that I'm not the first random guy this has happened to. Which makes option 3 easier to accept if option 1 will never work.
No this is not possible, mentioned clearly in the google doc.
If you lose your keystore, you'll need to publish a new app with a new package name.
If you have lost you app signing key, you can not upgrade your app, that is the reason google came up with a new feature "app signing by Google Play", where Google keeps your signing key, but when you upload your app you need to sign your app with a key(Upload Key), then Google verifies your signature, removes the signature, and then Google re-signs the APKs with the original app signing key you provided and delivers your app to the user. Benefit of this feature is that If you lose your "Upload Key", you can request for reset it from google, and you will be provided with a new "upload key", which you will use for signing app, and Google will re-sign you app using the main key It is keeping since starting.
So I will suggest you to enrol for this feature this time, to avoid an issue in future in case you lose your singing key again.
As others have mentioned, this is not possible outside the scope of App Signing by Play.
However, if your app has not been installed by anyone from the Play Store (except yourself), you can request your app to be deleted, which would allow you to recreate a new app with the same package name.
App Id in a sense is just like a domain name, you can not have more than one as long as you are to upload the application on Google Play.
The only option for you is to create a new build with a different App id.
I have two different apps, and I want them to be able to communicate together.
For security reasons, I would like to restrict the communication with protectionLevel:signature, so I don't have to worry about other apps possibly messing with my apps.
The problem is, I use Google Play Signing for the first app. I noticed, that when I want to create a new App in the play console, and opt-in for Google Play App Signing, that another certificate is generated. So, I suspect that the permission system is not working, as the release-apk that users download will not be signed by the same certificate, and that the "protectionLevel=signature" check will fail.
Is this true, or will it still work somehow when the Upload-Certificate matches?
Is there any way to use the same certifiacte for different apps using Google Play App Signing?
I solved it;
There is a button for reusing the Signing Key from an old app in the "App Signature" Tab in the play console.
Note that after you generated a distribution key once, it cannot be changed, even if you never uploaded an APK yet, so you have to press the button to reuse the key immediately before generating another distribution key.
I had to delete my (unpublished) app and created a new one. If you already published you app (even if just for a closed beta test), your only chance to get the same distribution key is to create a new app with a different app id.