Cannot update release APK using Google Play app signing upload certificate (with original keystore)

Issue

I was trying to update a release on Google Play. Upon uploading my signed APK, I received this error message in the Google Play Console:

You uploaded an APK that is not signed with the upload certificate. You must use the same certificate. The upload certificate has fingerprint:

[ SHA1: (SHA1 hash redacted) ]

and the certificate used to sign the APK you uploaded have fingerprint:

[ SHA1: (Mismatched SHA1 hash redacted) ]

I have tried many different methods for signing my APK (original keystore, different password combinations, new keystores, different key combinations, etc.) but none have succeeded.

I am fairly confident that the keystore is the original keystore as I had it backed up on an external drive, and the update date on both versions of the file are approx 30 mins before the original release (which is when I generated the first signed APK).

Since I used Google Play app signing (and the expected SHA1 hash is the same as the Upload Certificate SHA1 hash in ‘App Signing’ tab on my Play Console) I assumed that I would need to import the cert into the keystore I used to upload the original release APK.

Here are my results, which I have repeatedly been checking for some time now to ensure that they were not caused by simple typo (redacted parts are grouped into colors by value, I can post most of them if necessary):

Cannot update release APK using Google Play app signing upload certificate (with original keystore)

Please note that the keystorePass and the actual keyPass were specified as different passes, so using the keystorePass for both returns a “Cannot recover key” UnrecoverableKeyException, while using keyPass for the key gives a general exception “Public keys in reply and keystore don’t match.”

Some of my research turned up that if the keystorePass and keyPass are not identical, then this issue will arise. The proposed solution was to use keytool to change the keyPass to be identical to the keystorePass, but after what I assume is a successful keytool keypasswd change, I still getting the exception “Public keys in reply and keystore don’t match.” Using the old keyPass returns the expected incorrect password exception. Here’s a screenshot:

Cannot update release APK using Google Play app signing upload certificate (with original keystore)

For troubleshooting purposes, I tried adding the certificate directly to the keystore. That was a success using the keystorePass and gave me the expected SHA1 hash of the uploade_cert.der file from Google Play app signing:

Cannot update release APK using Google Play app signing upload certificate (with original keystore)

I also tried creating a new keystore (as well as new keys in both the original and new keystores with the same password), but trying to generate a signed APK using Android Studio with the new keystore after a successful keytool upload certificate import, I received this Android Studio error: “trusted certificate entries are not password-protected”

I have tried all of these steps with original and new infos in my gradle app file ( signingConfigs{release{keyAlias, keyPassword, storeFile, storePassword}} ) but no luck. Would love to get my app updated, and any tips or assistance would be greatly appreciated.

Solution

You have to try the follow procedure:

  1. Encrypt your private key (yourKeyStore.jks) using the PEPK tool (available on your Google console) used for signing the first version of the APK.
  2. Generate a new key (ex. apk-upload) and then extract the certificate from your created key in a upload-key.pem.
  3. Upload the upload-key.pem to your Google Account.
  4. Sign your release APK with your new key (apk-upload).

You will find the different commands and more details in this article:

https://medium.com/mindorks/securing-and-optimizing-your-app-with-google-play-app-signing-24a3658fd319

EDIT: (from comments) I think that if you had already enrolled Google App Signings, you have to contact Google support to gives you the ability to upload new private key or to get you old private key… the options given when you subscribe to Google App Signings, and I think that it’s not possible to resign your application with the old way if you had already enrolled Google App Signing.

(Asker’s Edit: Don’t use a different password for your keystore as you do the original key alias itself. Make sure that both keystorePass and keyPass are an exact match. If you already uploaded your keystore/key with different passes, then follow the steps on the Google Support page to reset your keystore with App Signing.)

Answered By – Moncef AOUDIA

This Answer collected from stackoverflow, is licensed under cc by-sa 2.5 , cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply

(*) Required, Your email will not be published