Signing an APK with an upload key provided by Google Play
Solution 1:
I was able to sign my APK using Upload key provided by Google Play. Here are the steps I followed for a new app:
- Create a keystore and add a signing key using Android Studio
- Sign the app using the key created in (1)
- Upload the APK to Google Play
- Download "Upload certificate" from Google Play Console
- Add downloaded certificate to the keystore created in step (1) using command
keytool.exe -importcert -file upload_cert.der -keystore <keystorefile>
- It should prompt that "Certificate already exists in keystore under alias . Do you still want to add it? [no]:"
- Type 'y' and press enter
- A confirmation message will appear
- For subsequent builds sign the app using the same process as in (2)
Important point to note here is that in step (6), the keytool import updates the original certificate with the one downloaded from Google Play.
Solution 2:
The Short Answer:
You can't sign an APK with the upload certificate in the Google Play Console.
Hopefully this answer will prevent others from wasting as much time as I did trying to find a solution that doesn't exist.
The Long Answer:
The Google Play support article Manage your app signing keys has the information needed to understand this.
From the "Types of keys & important definitions" section:
- Upload key (optional for existing apps): A new key you generate during your enrollment in the program. You will use the upload key to sign all future APKs prior to uploading them to the Play Console.
- Private Key: For APK signatures, this is the key used to sign the APK. The private key must be kept secret.
- Public Key: For APK signatures, this is the key used to verify the signature of an APK. The public key can be visible to everyone.
- Certificate: A certificate contains a public key as well as some extra identifying information about who owns the key.
Then, note that in Google Play Console, you can only download an upload certificate (as opposed to an upload key). Based on the definitions above, we can conclude that:
- the upload key is a private key, since the upload key is used to sign APKs.
- the upload certificate does not contain a private key, because certificates in general contain public keys, not private keys (there are exceptions, sort of, but not in this case).
- Therefore, the upload certificate cannot be used to sign an APK, no matter what steps you take. It just doesn't contain the necessary information.
As further evidence, this other SO question (Android signing error: trusted certificate entries are not password-protected) addresses the same issue, however since it doesn't reference upload keys/certificates, it is easy to miss the implications for this question -- that nothing you can download from Google Play will solve this problem.
Claims to the Contrary
Although some people report it IS possible to sign your APK with your upload certificate downloaded from Google Play, I believe they are misunderstanding what has happened. Note that generally these reports indicate you must import the certificate into the original keystore used to generate the key. In fact, when they think they are importing the (private) key needed to sign APKs, they are actually merely importing the public key and overwriting the public half of the key-pair -- with the same public key that was exported in the certificate in the first place.
Had they attempted to sign the APK with that alias WITHOUT doing the import procedure, it would have worked just as well. (The import changed nothing for them.) This is why the import only seems to work when used with the original keystore, not with a new keystore.
So what can you do instead?
It depends on your situation. Since the goal is to sign an APK and successfully upload it to Google:
- At some point during setup of "app signing by Google Play", someone generated an upload key and registered it with Google. If you still have that (private) key in a keystore somewhere, that is exactly what you need to sign your APK.
- If you generated the upload key with some tool other than
keytool
and then imported it into your keystore, and you still have the original generated file, you could import the private key again into a different keystore, using whatever process was used the first time. - If neither of the above are options, you can follow the instructions in the "Create a new upload key" section of the Manage your app signing keys article to generate a new upload key and have Google swap it in.