I want to upload an updated apk on playstore but I am getting error that my SHA1 certificates are not matching with the previous one. I want to know how I can upload the apk as I am using the same old key that was previously used by the developer.
You are obviously not using the same certificate, hence the message.
The debug certificates are different among computers but from your message I suspect the app is already uploaded to the store, so you need to use the same release certificate used by the other developer. Ask the other developer which certificate he used.
Related
My org android app is signed with 2 Keystore files. So while doing app signing on Play Store, I am getting the following message
Your app cannot be enrolled into App Signing because of the following reasons:
We do not support enrolling apps signed with multiple keys
So, wants to know if there is any way to move from 2 certificate signings to 1 certificate keeping the same app in Play Store
Unfortunately it is not possible today.
For app updates to work, the Android framework requires that the app be signed by the same certificates, so it is not possible to change the certificates. The only option would be to create a new app (i.e. new package name).
Android has introduced key rotation, which could possibly help with this situation, but it is unfortunately not supported by Play to this day.
Recently i have uploaded an app to play-store which is live now and i have enabled app sign in too. But, when i tried to upload a new build, i couldnt able to find my old key store. So, when i generate new KEYSTORE and try to upload, i am getting error :
you uploaded an apk that is not signed with the upload certificate.
You must use the same certificate.
Please have a look in my developer console, which has both the upload certificate & app signing certificate.
How to get the apk signed with same fingerprint and upload to play-store?
Ref: https://support.google.com/googleplay/android-developer/answer/7384423?hl=en
If you lose your keystore or think it may be compromised, Google Play
App Signing makes it possible to request a reset to your upload key.
If you're not enrolled in Google Play App Signing and lose your
keystore, you'll need to publish a new app with a new package name.
Note: Related to KeyStore many questions on stack overflow, but this is some thing related to new feature from Google "App Signing" and i m not getting nay suitable answer.
I have contacted Google and their response is not confirming anything. Please find below message from google.
I'm sorry for the confusion, however I can see for your app (with
package name: com.wma.foodinns.foodinnsapp), you have successfully
registered your upload key with Google and have therefore successfully
generated an upload key. The upload key you generated and then used to
register is the key you should still have on your side and should be
used to sign your APKs when uploading new APKs for this app to the
Play Console.
The certificate you can download from the Play Console is not the full
upload key, but contains the public key as well as some extra
identifying information about who owns the key (for more information
on this, please see the definitions listed here:
https://support.google.com/googleplay/android-developer/answer/7384423?hl=en&ref_topic=7072031).
Do you still have the key you have created that was then registered as
as the upload key on the Play Console?
FInally, Google Helped me to get this resolved. I have written an email describing the issue and then after getting their responce, followed the below steps.
I created New Keystore.
Exported the certificate for that key to PEM format:
keytool -export -rfc -alias upload -file upload_certificate.pem -keystore keystore.jks
Replied to their email and attached the upload_certificate.pem file.
Then Google sent an email saying they have updated my keystore and i can use the same after 3 to 4 days.
I Used the key store newly generated and them generated the signed APK which was successfully uploaded to Playstore.
Below are the list of locations needed to update keystore
Local machine
Locked on-site server (varying ACLs)
Cloud machine (varying ACLs)
Dedicated secrets management services
(git) repos
Since you are using Google app signing program, you can request to reset your upload key. For that you need to contact Google. as shown in the screenshots below:
Contact Us -> Publishing apps on Google Play -> Application signature certificate & keystore issues -> To request a reset to your upload key, contact us
Since you are using Google Play App Signing, you can just create a new upload key and then contact Google support. See the documentation, in particular the section "Lost or compromised private keys" near the end of that page.
Sorry Siba, but theres not much you can do if you lose your key store. I mean if a method exists, wouldn't that defeat the whole security feature of the keystore system?
I personally have 3 backup location of my important key stores. You are lucky in that your app is probably not too new with lots of users. Simply republish this app (with different package name) and you are good to go. Save the keystone we'll this time.
I've got a project to do- I got an app and I have some changes to do on that.
The app already been uploaded as a beta version to the Google play developer console,
Now I try to upload a new apk with some changes I made so I sign the APK with my own certificate, well it's says the APK must be signed with the last certificate,
Therefore- I want to know if there is somehow to get the last certificate and sign it by myself or should I ask from the last programmer the certificate that he has been used?
i want to know if there is somehow to get the last certificate and sign it by myself or should i ask from the last programmer the certificate that he has been used?
You answered yourself pretty much here. If you do not have last certificate then you need to ask for it the one who has it, or you must change packageId (thus making it a new app) and then release as new app in to Google Play.
This is related read in official docs: https://developer.android.com/studio/publish/app-signing.html
There are many questions about signed and unsigned .apk files.for testing & debugging we can use unsigned .apk file that generated inside bin folder. This apk file generated using a dummy keystore file. My question is why we need to use signed apk. can't we publish a unsigned apk. what's wrong with that?
There's a number of reasons why you want to have a release signed application. There's even a great article about it. Here's a few reasons:
It's a method that the end user can verify that an app is in fact published by the same author.
The release process allows for Android to use additional features, like In App purchases. Without it, Google can't verify that in fact the app is yours.
It's a way of saying that someone trusted released the app.
It is a two step authentication process to verify your app is yours. That gives an added layer of security that can't be done via other means.
Applications signed with the same key are allowed to share resources. The debug certificate is shared by all, and you probably don't want to have that level of access with all of your apps.
Basically, it makes a hacker's life more difficult, which is always a good thing.
For instance, one might give access to the Google Play account to people to modify the description, but you don't want them to upload new apps. Without the key, they can't upload the app. Furthermore, if your google password is cracked, you still can't upload the app. It takes having your private key file and key to crack it.
As #Pearson covered almost all the things but one thing I like to cover.
In Android, you can not install the unsigned application in any how on your developer phone/emulator. You have to sign your application either by debug or your own certificate.
Upon installation, the Android SDK generates a “debug” signing certificate for you in a keystore called debug.keystore. A debug certificate is only valid for 365 days.
So When you install your application through any IDE Eclipse/Android Studio, IDE also sign the app using the debug certificate.
Update
My question is why we need to use signed apk. can't we publish a unsigned apk. what's wrong with that?
You need to sign your app with your own release keystore certificate because you can't publish app which are signed with debug certificate because
One reason is your debug certificate expire within a year so after that you can not release the update of your app Once your debug certificate has expired that why also reason Google does not allow and some more major security concern.
Second reason is android system uses the certificate as a means of identifying the author of an application and establishing trust relationships between applications.
Only people who have enabled debugging in their developer options will be able to run it. And people will need to know how to enable developer options (by clicking on 'Build Number' in the phone settings seven times). Google will not let you publish a debug apk, so people will have to side-load it.
Apk with debug keystore is a signed apk. Unsigned apk can't be uploaded to a device. For production you must create a different keystore to sign with. Also, once published, future updates must be done using the same keystore. If the keystore is lost, the application can't be updated.
An unsigned APK is harder to trace to the original author. Although in principal there is nothing wrong with that, Google forces you to sign your APK before publishing in Google Play. Because of this Google has the power to revoke the certificate when a developer abuses Google Play to publish software, ie. malware.
Also, because you have to pay Google for a certificate, Google hopes that malicious devevelopers won't pay over and over again to publish there application.
From Android Developers:
"The Android system requires that all installed applications be digitally signed with a certificate whose private key is held by the application's developer. The Android system uses the certificate as a means of identifying the author of an application and establishing trust relationships between applications"...
Read all about it here
The Android documentation here states:
You must use the same key to sign future versions of your application. If you republish your app with a new key, Google Play will consider it a new app.
There is also a link to this blog that again claims that you can publish an app with the same package name and a different key for the signature although the user will have to eventually uninstall the version signed with the old key.
However when I try to publish an application that I signed with a key that is not the same that was used the first time the application was published I get an error:
You uploaded an APK that is signed with a different certificate to your previous APKs. You must use the same certificate
I have also found the answer here that states that you can't.
So the question is: is it possible and if not why the Android docs says something different?
Technically you can use a different certificate. You just cannot upload it to Google Play if the certificate is different to a previously uploaded one.
Nothing stops you installing the apk manually though after uninstalling the one with a different signature..
You cannot sign with a different key. They won't let you upload it. I don't see where in this blog entry it says you can upload with a different certificate. It seems to be listed under "Things that cannot change."
Just as important as the manifest package name is the certificate that application is signed with. The signing certificate represents the author of the application. If you change the certificate an application is signed with, it is now a different application because it comes from a different author. This different application can’t be uploaded to Market as an update to the original application, nor can it be installed onto a device as an update.