I'm having some problems packaging an app because the jarsigner keeps telling me this:
jarsigner: Certificate chain not found for: MyApp. MyApp must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.
I generated the keystore using the command:
keytool -genkey -keystore myAppKeystore.keystore -alias myApp
then filled in the rest of the information as it prompted.
When I checked the app using this command I found:
keytool -keystore myAppKeystore.keystore -list -v
It said something like this, and it seems to only say private key:
Alias name: myApp
Creation date: 06-Sep-2012
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: ......etc
I'm sure it will be something really obvious, but what am I missing? I was under the impression the previous command created a keypair? Not just the private key.
Thanks!
You need to get a public key certificate. You can use keytool to generate certificate requests to a certificate authority and import certificate replies. Perhaps all you need is a self-signed certificate.
You need to generate a certificate for the key pair, with 'keytool -selfcert ...'. Better still, generate a CSR and get your CA to issue a code signing certificate.
Related
I get the title and the text below when I try and fail to build an .aab file using flutter build appbundle:
java.util.concurrent.ExecutionException: java.lang.RuntimeException: jarsignerfailed with exit code 1 :
jarsigner: Certificate chain not found for: keystore. keystore must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.
I had to reset my signing key. The google developer support had me generate a new .jks file with the following command line which I ran from within my project folder:
keytool -genkeypair -alias upload -keyalg RSA -keysize 2048 -validity 9125 -keystore keystore.jks
He then instructed me to convert this file into a .pem file using this command:
keytool -export -rfc -alias upload -file upload_certificate.pem -keystore keystore.jks
I then emailed him the upload_certificate.pem file. I immediately noticed that the keystore.jks file was red in the sidebar and I get this upon clicking on it:
"The file 'keystore.jks' is not associated with any file type. Please define the association:"
The .pem file is also red, but clicking on it shows the text that makes up the key.
Do I need to reset the signing key again and do something different? Is there a way to fix the issue causing this error?
As dumb as this may sound, I spent 24 hours on this and all I had to was enter flutter clean
You have keyAlias=keystore in your key.properties while it looks like the alias you created is named upload (see in your keytool export command).
Repleace with keyAlias=upload and that should work if your password is correct.
Our android project consists of mobile and wear app ( wear app is under development) and we are trying to release the mobile app. When we try to generate signed apk we get this follow message :
Error:Execution failed for task ':wear:packageRelease'.
> com.android.ide.common.signing.KeytoolException: Failed to read key
toyanathpatro from store "/home/adventure/toyanath_patro_key/toyanath_patro_key":
No key with alias 'toyanathpatro' found in keystore /home/adventure/toyanath_patro_key/toyanath_patro_key
As it reads it says failed task for :wear:packageRelease where in reality we are selecting just the mobile while choosing for signing the apk.
Can anyone point out my blunder ? Thanks in advance.
The problem seems to be with the wrongly spelled key alias
In my case the alias should have been toyanath patro where I wrongly tried to use toyanathpatro . So the best suggestion would be:
Don't use space or invisible character in the key alias. as far as possible
There is a small selection button (3 horizontal dots) on the right side of key alias editable field. Use that button to find the alias which resides in that signature file.
In your build.gradle you have defined a signing config that it's pointing to a keystore that it's not in your code base.
Something similar to this.
android {
...
buildTypes {
release {
signingConfig signingConfigs.staging
...
}
}
signingConfigs {
defaultSignature {
keyAlias 'default'
keyPassword 'password'
storeFile file('default-keystore.jks')
storePassword 'password'
}
}
}
In my case android studio by default create alias 'key0' and it is the only alias in the file.
My fast solution: Create new key file from android studio with alias that You want. Use that new created file with "Generated Signed APK". If all goes well You could run app with properties set up in "Project Structure".
After generating keystore with-
keytool -genkeypair -v -keystore my-key.keystore -alias my-alias -keyalg RSA -
keysize 2048 -validity 10000
You should use exact name of alias in gradle.properties :-
MYAPP_UPLOAD_STORE_FILE=my-key.keystore
MYAPP_UPLOAD_KEY_ALIAS=my-alias <------this name
MYAPP_UPLOAD_STORE_PASSWORD=***
MYAPP_UPLOAD_KEY_PASSWORD=***
I had a sticky configuration which I could not get rid of. Even though I had changed the alias in the signing configuration window, it kept giving me the error "Could not find alias" with the original (wrong) alias that I first entered. I searched manually and found a file on path...
[project]/android/app/build/intermediates/signing_config/release/out/signing-config.json
...which contained the original (wrong) alias I first entered. Deleted the file and built/signed the app again. Hope it helps someone.
Build -> Rebuild project
It seems old key names are cached.
If you had the .Jks file before then you can get alias name by typing this command
keytool -v -list -keystore .jks
or
keytool -v -list -keystore .keystore
then you will have to type the password and you will get the alias name by that alias name you can create your signed release file easily.
My problem was that I lost my keys and when I contacted google for making a new key I made a new one with an alias name that I don't know so to solve this in your root android project cd app and paste this command keytool -v -list -keystore yourkeystore.jks don't forget to replace the yourkeystore.jks with your key you will get output we need only the Alias name copy this alias name and past it in your key.properties file like this
storePassword=YourPassword
keyPassword=YourPassword
keyAlias=AliasNameCopiedFromLastStep
storeFile=KeyStorePath
Click Build>Edit library and dependencies .
Then click plus button in signing tab. Key Alias is as same as Alias Key while generating signed apk build.
I initially used key0 for building. It failed with 'Errors while building APK'. Next time, I changed it to 'key1' to work and it worked.
Do not use capital keys for password. It's worked for me.
For generating .jks keys ,
keytool -genkey -alias myKeyStore -keyalg RSA -keystore "C:\apk\fastmoneyv1.jks"
If you are use this code when creating key
" keytool -genkey -v -keystore ~/upload-keystore.jks -keyalg RSA -keysize 2048 -validity 10000 -alias upload"
You have to update "keyAlias" property from key.properties
from: keyAlias=key
to: keyAlias=upload
in my case i had my keystore files already generated. I was updating my app and when i generated signed apk, i was creating new key_alias. Instead i choosed existing key alias from my keystore files and it's been resolved :)
in my case i have space on the right of the alias and you don't see that space make sure to hover is with the mouse
My issue was that I was using the "my-key-alias" instead of "key0" as the alias name so I had to check to confirm the actual key alias name keytool -v -list -keystore yourkeystore.jks and changing MYAPP_UPLOAD_KEY_ALIAS=key0 in the app/gradle.properties file instead of MYAPP_UPLOAD_KEY_ALIAS=my-key-alias
I received a keystore file from a customer which I am supposed to use to sign an APK that is going to replace/update an existing APK on the play store.
Unfortunately I get the following error:
jarsigner: Certificate chain not found for: alias_name. alias_name must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.
When I try to sign the same APK with a different, self-generated keystore, this works fine, so I figured there must be something missing in the keystore.
Keystore-Typ: JKS
Keystore-Provider: SUN
Keystore enthält 1 Eintrag
Aliasname: alias_name
Erstellungsdatum: 19.05.2015
Eintragstyp: PrivateKeyEntry
Zertifikatskettenlänge: 1
Zertifikat[1]:
Eigentümer: (redacted)
Aussteller: (redacted)
Seriennummer: 5152a7xx
Gültig von: Wed Mar 27 09:00:32 CET 2013 bis: Sun Aug 12 10:00:32 CEST 2040
Zertifikat-Fingerprints:
MD5: (bla)
SHA1: (bla)
SHA256: (bla)
Signaturalgorithmusname: SHA1withRSA
Version: 3
*******************************************
*******************************************
When I compare this to a different keystore file, I notice there is an "Extension" missing. What is it, and how do I go about fixing this? Is the file incomplete that I got from my customer?
When I import the .p12 file into my Mac OS X keychain, I can see a private key called alias_name and a certificate; although there is no "certificate chain" or anything.
I tried the following command:
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore data_dirs/ff.keystore /path/to/QtApp-release-unsigned.apk alias_name
jarsigner: Certificate chain not found for: alias_name. alias_name must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.
When you create a keystore, you also create an alias in that keystore with an appropriate password. I assume "alias_name" isnt the name of that alias. You need to ask your client for that name and password to sign the apk with that alias and keystore.
I'm automating some things that involve the android keytool and jarsigner. The tool takes a keystore, the password for the keystore, the alias name, and the password for the alias / key, and I'm trying to find a way to explicitly check to see if the supplied password for the alias / key is correct.
Any ideas? Also, I need to check it without a jar file to sign - getting that file in my context is lengthy, so I want to abort sooner rather than later.
You can also check if the password is correct without attempting to change the password. I did it by listing the properties of the keystore with this command:
keytool -list -keystore <keystorefile> -storepass <passwordtocheck>
You can do it a couple of ways:
A. With keytool
If you run the command keytool -keypasswd -keystore <keystore> -alias <alias> -storepass <storepass> -keypass <keypass> -new <keypass> then you will get the error Keystore was tampered with, or password was incorrect if the keystore password is wrong, or the error Cannot recover key if the alias password is wrong. Unfortunately the return code is 1 in both cases, so you will need to do parsing of the program's output if you want to be smart about the type of error.
B. With a small Java program
Something along these lines:
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
try (FileInputStream fis = new FileInputStream(keystore)) {
ks.load(fis, ksPw.toCharArray());
}
ks.getEntry(alias, new KeyStore.PasswordProtection(aliasPw.toCharArray()));
will fail at line 4 with a java.io.IOException if the key store password is wrong, or with a java.security.UnrecoverableKeyException at line 7 if the alias password is wrong.
I am having trouble using SSL, as I am getting the following error related to my keystore (self-created and self-signed using keytool per: http://developer.android.com/tools/publishing/app-signing.html):
08-14 20:55:23.044: W/System.err(5430): java.io.IOException: Wrong
version of key store. 08-14 20:55:23.060: W/System.err(5430): at
org.bouncycastle.jce.provider.JDKKeyStore.engineLoad(JDKKeyStore.java:812)
...
The error thrown in the JDKKeyStore.java class arises in the following code:
Blockquote
From JDKKeyStore.java:
if (version != STORE_VERSION)
{
if (version != 0)
{
throw new IOException("Wrong version of key store.");
}
}
Blockquote
In this case STORE_VERSION = 1, and my version=3 based on reading the details of the certificate held by the keystore I have created. I do not know how to generate a keystore containing a version=1 certificate.
I found this answer helpful:
wrong version keystore when doing https call
however it calls for creating the keystore using the following parameters:
-storetype BKS
-provider org.bouncycastle.jce.provider.BouncyCastleProvider
-providerpath /path/to/bouncycastle.jar
However, when I try to create the keytool (using the terminal app on Mac) using these parameters:
keytool -genkeypair -v -alias androiddebugkey -keyalg RSA -keysize
2048 -validity 10000 -keypass android -keystore
/Users/djames/dropbox/bc146keystore/debug.keystore -storepass android
-providerclass org.bouncycastle.jce.provider.BouncyCastleProvider –providerpath /Users/djames/dropbox/bc146keystore/
(where /Users/djames/dropbox/bc146keystore/ is the path to the bouncy castle jar: bcprov-jdk16-146.jar)
I get the following error:
keytool error: java.lang.RuntimeException: Usage error, ?providerpath
is not a legal command java.lang.RuntimeException: Usage error,
?providerpath is not a legal command at
sun.security.tools.KeyTool.parseArgs(KeyTool.java:375) at
sun.security.tools.KeyTool.run(KeyTool.java:171) at
sun.security.tools.KeyTool.main(KeyTool.java:166)
I do not understand what this is telling me. If I use: keytool -help it tells me that the following are valid options for the -genkeypair option:
-genkeypair [-v] [-protected]
[-alias ]
[-keyalg ] [-keysize ]
[-sigalg ] [-dname ]
[-validity ] [-keypass ]
[-keystore ] [-storepass ]
[-storetype ] [-providername ]
[-providerclass [-providerarg ]] ...
[-providerpath ]
But in the Oracle docs java version 6 that I am using
(http://docs.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html)
it tells me that these are the options:
-genkeypair {-alias alias} {-keyalg keyalg} {-keysize keysize} {-sigalg sigalg} [-dname dname] [-keypass keypass] {-validity valDays}
{-storetype storetype} {-keystore keystore} [-storepass storepass]
{-providerClass provider_class_name {-providerArg provider_arg}} {-v}
{-protected} {-Jjavaoption}
which does not include the -providerpath option. Why the discordance?
(If I do not use the -providerpath option, then I get an unknown class exception at the option: "-providerclass org.bouncycastle.jce.provider.BouncyCastleProvider"...)
When I google: keytool -providerpath
I get nothing helpful to resolve this.
I am not sure how to solve my keystore version problem without solving my keytool problem. Any suggestions appreciated.
Jim
(Mac OSX 10.6.8 if relevant)
My problem was using a version of bouncy castle that was too new. I had to use 146 - any later and it gave me this error.
I was able to get past this problem with the version of keystore. see: keytool error when creating BKS keystore: providerpath is not a legal command
The version mismatch is for the key store version, not the certificate version (which should have the value 2 for a v3 X.509 certificate).
What version of the JDK did you use keytool from? Did you specify a full path to the command, or use what was in your PATH? Are you sure that you are using JKS key stores, and not JCEKS stores?
In order to complete Ryan answer as I had to dig in to find out how to generate a BKS with Bouncy Castle 1.46, you can use Portecle to generate the BKS.
Download Boucycastle Provider 1.46
Install or unzip it.
Replace bcprov.jar in your Portecle install directory (example: C:\Program Files (x86)\Portecle\bcprov.jar). Same naming is required.
Restart Portecle and generate your BKS truststore.
This explained here.
Edit:
Since Portecle 1.8, you can use BKS-V1 type to generate your truststore without to replace bcprov.jar.
You can select it after clicking on New keystore or change the type via the menu Tools -> Change KeyStore Type.