Google App Signing - Still able to upload the Apk signed with old Keystore

Question

I was signing my APK with a p12 certificate before opting-in to "Google Play App Signing"

I have followed the steps described in the Post below written by @MatPag to activate Google App Signing.

How to enable Google Play App Signing

After activation, I can still sign and upload my APK file with both old p12 certificate and with the newly created Upload Keystore. Is this an expected behavior, or am I doing something wrong?

As far as I understand from Google Play App Signing documents, I should not be able to upload the APK to Google Play Console which has been signed with the old p12 certificate.

Answer 1

Yes, this is normal behaviour. You can actually convert your p12 certificate to a keystore if you wish:

First create an empty keystore:

keytool -genkey -alias <somename> -keystore <somecertificatename>.jks

Now convert p12 certificate to a keystore:

keytool -v -importkeystore -srckeystore <yourp12certficate>.p12 -srcstoretype PKCS12 -destkeystore <somecertificatename>.jks -deststoretype JKS

Answer 2

This is an expected behaviour. This allows developers to upload an App Bundle signed with the upload key and test it on a testing track while not changing their build or release process for APKs in the meantime.

Answer 3

Answer from Google:

Thanks for your patience.

I have looked into your APK and screenshots you have provided and it seems there are no issues with this.

You can continue to use both keys going forward to sign your app.

Case 1: Sign APK with old p12 certificate which has been used before enrolling to Google App Signing.

Case 2: Sign APK with newly created upload certificate which has been generated while enrolling to Google App Signing.