I know how to get my SHA-1 fingerprint either through terminal or eclipse (go to: Window->Preferences->Android->Build), but there has been not many answers on how to keep the SHA-1 fingerprint in cases of emergencies.
Eg, my hard disk died, and I had to export my .apk under a different SHA-1 fingerprint and hence under a complete app new listing in Google Play store.
In case of another harddisk breakdown or a new computer, is there a way to still use the same SHA-1 fingerprint? Maybe I am lacking some knowledge of how keystore certificate works and hopefully someone can enlighten me.
If your concern is about app store apk file then you have to preserve keystore file with which you have uploaded apk on to play store.Don't worry about SHA-1 fingerprint in any case you have to preserve only keystore. And apk creation is dependent on keystore after you have created it.
Related
i am reset my certificate APK google play console... so google give me information:
the new key will usable from 2022-02-04 17:12:58 UTC
but until now I can't replace my certificate, it says that I entered the old certificate, even though Google has told Google to replace it with a new one, what should I do?
I've contacted the Google developer, but so far they haven't been answered
best regards,
When you reset the upload key, you were given instructions to generate a new keystore. You need to sign your APK or AAB using that new keystore. For that, you will need to update the path to they keystore in your build.gradle file (or signing configuration of whichever build system you use).
If this still doesn't work, go to the "App Integrity" page in the Play Console, and look at the SHA1 of the "Upload certificate", and compare that with the SHA1 of the keystore you sign your APK/AAB with -- see this post for example on how to extract this info off a keystore.
If you see a difference in the SHA1, then either you don't have the right keystore or the reset maybe didn't work and you may need to do it again.
For a couple of days, I've been trying to upload the aab of an existing app. We have never tried aab before, so this was a fresh attempt. I encountered an error saying "Your android app bundle is signed with the wrong key", which indicated a mismatch of SHA1. So I cleaned the project, rebuilt, invalidated cache (because why not) and tried again - the error persisted. Although, uploading regular APKs work fine with this keystore.
Out of curiosity, I tried building the signed aab with another keystore in our project directory (one that no one used) and to my surprise, this newly signed aab was accepted. This seemed impossible, and I found the SHA1 of "App signing certificate" belongs to one keystore, while the "Upload certificate" belongs to another keystore.
I don't understand how is this possible. We have multiple people access the dev console. Even if it's a human error, how was the upload certificate from the wrong keystore accepted? How can I have this fixed so that I can upload the aab with the actual keystore?
When you (or someone in your team) enrolled your app in App Signing by Play, you must have created this second keystore to create the upload key and uploaded the certificate to Google Play (by simply following the given instructions).
The upload key is the one that should be used to sign the future APKs and App Bundles.
The reason that your APKs can still be uploaded with your original app signing key even after creating this upload key is that Play wanted to allow for this transition time where you're just testing the App Bundle in some testing track but don't want your current APK release process be affected in the meantime, so they'll still accept the APKs to be uploaded with the app signing key.
Ideally, you should now put the keystore containing your app signing key in a safe location with restricted ACLs (since having it compromised can have devastating consequences, i.e. have to migrate all your users to a new app) and only use the keystore containing your upload key (which, if compromised, can be reset).
For some explanation about upload keys and app signing keys, I recommend reading the documentation here:
https://support.google.com/googleplay/android-developer/answer/7384423?hl=en-US
I have an app already uploaded and published on play store. Now I want to update it. It was signed using google-play signing, I do have keystore and cert
but when I try to make a signed apk from android studio it gives me this error :
Trusted certificate entries are not password-protected
I also tried to make apk using jarsigner but still on luck.
I downloaded certificate then added certificate in jks but still there is error.
Certificate chain not found for: mykey. mykey must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.
mykey is valid key I can see it in keystore List
Well, the Keystore is not the certificate that Google gives you once you upload the app on the Google App store, the Keystore is the one that Android Studio gives you once you sign the app, it requires an Alias and a Password too to be more precise, however, try to find the Keystore because you can't update your own app without the SAME Keystore you used for the first upload, good luck and keep coding, let me know if you need more support or if you still have some doubt, have a good day!
I know a certificate contains a public key and some extra info (I hope) but is it saved in the apk file? Is it a file or text or what? And what is a signature exactly?
And in Android which one could we easily read to verify the app?
Certificates and keystores
A public-key certificate, also known as a digital certificate or an identity certificate, contains the public key of a public/private key pair, as well as some other metadata identifying the owner of the key (for example, name and location). The owner of the certificate holds the corresponding private key.
When you sign an APK, the signing tool attaches the public-key certificate to the APK. The public-key certificate serves as as a "fingerprint" that uniquely associates the APK to you and your corresponding private key. This helps Android ensure that any future updates to your APK are authentic and come from the original author. The key used to create this certificate is called the app signing key.
A keystore is a binary file that contains one or more private keys.
Every app must use the same certificate throughout its lifespan in order for users to be able to install new versions as updates to the app. For more about the benefits of using the same certificate for all your apps throughout their lifespans, see Signing Considerations below.
Sign your debug build
When running or debugging your project from the IDE, Android Studio automatically signs your APK with a debug certificate generated by the Android SDK tools. The first time you run or debug your project in Android Studio, the IDE automatically creates the debug keystore and certificate in $HOME/.android/debug.keystore, and sets the keystore and key passwords.
Because the debug certificate is created by the build tools and is insecure by design, most app stores (including the Google Play Store) will not accept an APK signed with a debug certificate for publishing.
Android Studio automatically stores your debug signing information in a signing configuration so you do not have to enter it every time you debug. A signing configuration is an object consisting of all of the necessary information to sign an APK, including the keystore location, keystore password, key name, and key password. You cannot directly edit the debug signing configuration, but you can configure how you sign your release build.
For more information about how to build and run apps for debugging,
As far as I know (I'm fairly new to android development), you sign your apk with a certificate. Someone correct me if I'm wrong.
Here is some additional information:
https://source.android.com/security/apksigning/v2
https://developer.android.com/studio/publish/app-signing.html
Also, if you want to publish via google play store, this is important to know for you:
The apk must be signed with the same certificates as the previous version
When you compile your APK, one of final steps is signing your APK. Actually it is adding 3 small files. You can rename any APK to ZIP, unpack it and you will find directory META-INF - it your signing information.
MANIFEST.MF and CERT.SF is very similar and contains list of files and their sha1/sha256 hash sums (one for files, second just for entries of first file), and CERT.RSA which is x509 certificate with your public key.
I have lost my keystore file now i need to update my app on play store is there any way to get my keystore file i have my old signed apk please any answer will be appreciated
Access:
https://support.google.com/googleplay/android-developer/contact/otherbugs?hl=en
and mark the options like below:
You cannot recover a lost keystore.
The signature on your existing APK is just a signature- you cannot reproduce the signature without the key that generated the signature.
Google does not store, keep track of, or ever have access to your keystore. It is completely on the developer to manage the keystore.
Your options are:
Find the keystore
Generate a new keystore and re-upload your application as a new application. You will be starting completely fresh with this option.