Signing an APK with Google Play upload key

Question

I have created a test app on Play store, to test out the Google Play Signing functions. As soon as I create the test app and enabled the feature, I had access to "Deployment Certificate". I didn't download it or used it in any way. Following are the steps I followed:

Then using Android Studio, I create a new keystore, giving it a password and created an alias with a password (as usual).
Signed the app with keystore created in step 1 Uploaded the app to Google Play store.
Downloaded the Upload Key certificate. Added the Upload Key certificate to my keystore created in step 1 using command keytool.exe -importcert -file upload.der -keystore mykeystore.keystore
Check if it is added to keystore using command keytool.exe -list -keystore mykeystore.keystore. There are now two alias, a new alias (named mykey) added in step 3. It is of the type trusted certificate.

Now as "Trusted certificate entries are not password-protected", without an alias password Android Studio does not allow me to sign the app and of course I cannot use a random password as they are "not password-protected". how do I use it to sign my apk for future updates? Am I missing something crucial here or my understanding is incorrect?

I think there is some miss match between certs, otherwise while adding upload key cert to keystore it asks to replace the existing alias. You can follow the steps mentioned here: https://stackoverflow.com/a/45749607/2487029. — niksya, Sep 26 '17 at 10:52
@nikka actually it does ask. But it does not "replace" existing alias. Only adds new one. Just as in the link you provided — Atif Farrukh, Sep 26 '17 at 16:20

score 0 · Answer 1 · answered May 12 '22 at 11:32

If you opt-in to use google managed signing key you will have access to 'Deployment Certificates' after you uploaded (released) your first APK where as 'Signing Certificates' will be available immediately from the App integrity page.

Regarding your steps, I think you are almost there except you don't need step 3 & 4.
You have already signed your app and uploaded it to Play Console on step 2. Note that the keystore you created on step 1 already contains your upload key (in fact both private(upload key) and public key), so on step 3 you are downloading the same public key (Deployment Certificate) and adding it to your store.

The 'Deployment Certificate' is downloadable in case you want to share it with 3rd party API developers which use app package name and certificate as an auth/trust mechanism. They are not used to sign APK or anything; They are not secure anyway. They are just public keys and it is all safe to share them and no need to password protect them.

score -1 · Answer 2 · answered May 23 '18 at 18:25

-1

Use Upload Certificate,upload_cert.der, not App Signing Certificate deployment_cert.der. You can download it in Google Play Console right under App Signing Certificate.

answered May 23 '18 at 18:25

Trent Steele

142
1
5

Signing an APK with Google Play upload key

2 Answers2