Android Sign APK With Upload Certificate (How To Ensure Correct Fingerprint)

Question

This is Google's documentation on signing an APK: https://developer.android.com/studio/publish/app-signing.html

The documentation seems fairly straight forward. I've been able to piece together process from various other pages, and from Stack Overflow threads. But, after I've signed the APK, the SHA-1 certificate fingerprint in the APK is wrong, which implies that I have not signed the APK with the correct certificate.

You uploaded an APK that is not signed with the upload certificate. You must use the same certificate. The upload certificate has fingerprint:

[ SHA1: FINGERPRINT ]

and the certificate used to sign the APK you uploaded have fingerprint:

[ SHA1: FINGERPRINT ]

My question is: how do I make sure that my generated keystore is using the Upload Certificate from the Google Play Console?

Here's what I did:

• Sign up as a Google Developer and created an app in the console
• Clicked on App Signing and downloaded the Upload Certificate (upload_cert.der)
• I then used keytool to both import the certificate and create the keystore: "C:\Program Files\Java\jdk1.8.0_161\bin\keytool" -importcert -file upload_cert.der -keystore [appname].jks -alias "[appname]" . This succeeded in that it did create the keystore file. But, my gut feeling is that this is where the process went wrong. I don't think the certificate was imported.
• I checked the keystore with this command: "C:\Program Files\Java\jdk1.8.0_161\bin\keytool" -list -keystore [appname].jks and the outputted fingerprint is completely different to my upload certificate's fingerprint.
• I also tried: "C:\Program Files\Java\jdk1.8.0_161\bin\keytool" -importcert -file upload_cert.der -genkey -v -keystore [appname].jks -keyalg RSA -keysize 2048 -validity 10000 -alias [appname]
• This succeeded and pushed out the .jks keystore file
• I generated an unsigned APK (Archive)
• In Visual Studio, I clicked "Distribute ..." -> Ad Hoc
• Imported my keystore file and clicked "Save As" which seemed to sign my APK
• Then, I uploaded it to the store but the store rejected it saying it had the wrong fingerprint.
• So, I used the key too to check the fingerprint in the RSA file . "C:\Program Files\Java\jdk1.8.0_161\bin\keytool" -printcert -file [appname].RSA .The fingerprint was wrong.

What steps am I missing?

Note: the Google doc says that this is the process for manually signing:

https://developer.android.com/studio/publish/app-signing.html#sign-manually

keytool -genkey -v -keystore my-release-key.jks -keyalg RSA -keysize 2048 -validity 10000 -alias my-alias

apksigner sign --ks my-release-key.jks --out my-app-release.apk my-app-unsigned-aligned.apk

But these steps don't use the upload certificate in any way...

All updates to your existing app must now be signed with your upload key. This will allow Google to verify your identity.

This makes complete sense. In essence, all I'm trying to do is sign the APK with my upload key from Google. I have the upload key. But, the step that Google hasn't documented is how to turn the upload key in to a keystore so that I can sign the APK with the keystore. It looks straight forward enough, but it's not working.

Answer 1

It seems you have lost your private keys. The Upload Certificate is the Certificate for your first upload app and created when you upload it. You need to use that .keystore file to sign your app.

how do I make sure that my generated keystore is using the Upload Certificate from the Google Play Console?

It's not possible. According to Google Manage your app signing keys:

Certificate: A certificate contains a public key as well as some extra identifying information about who owns the key.

The certificate doesn't contain the private key. So it could not used to create keystore.

The only way to solve this is that reset the upload key as said at the end of above article.

You refer to the following guides for publish app in xamarin:
Publishing to Google Play
Signing the Android Application Package
Manually Signing the APK