How do I use upload_cert.der from play store in Android Studio?

Question

I downloaded the upload_cert.der file from the Play store. I added the root certificate to my keystore just fine. But Android Studio won't let me use it because there is no password for it. Android Studio complains that I must enter a key password before it let's me do the build.

1. Is there a way to generate a password protected private key from this upload_cert.der file?
2. Is there a way to just get Android Studio to let me get past this "error" and do the build?
3. I'm using Windows and the upload_cert.der file was added to my Windows certificate store. Could I just signed the APK outside of Android Studio (even though I'd rather stay within the tools for this)?

I found someone else ask this question and none of the answers mentioned the password, just explanations for why there are multiple entries of the wrong type in the keystore, etc. To be clear, I can create a key in the keystore of my own making and with a password, just fine. I deal with deleting an alias before I try to add a key of any sort. I just don't know how to use the .der file from the play store when Android Studio wants a password for the key and there is none!

Here's the exact error if I use a password that is just random jiberish: Failed to read key rep from store "C:\Users\xxxx\xxxx.jks": trusted certificate entries are not password-protected So it's clear that there is no way to fake this out somehow.

Answer 1

The important fact you are missing:

Google Play never gives you a key you use to sign things. It only ever gives you certificates to verify with.

I'll start with the basics you probably know. In public key cryptography, there is a private key and a public key. Only the person who signs has the private key. Otherwise anyone could sign. The public key anyone can have. They can use it to check the signature is valid.

The upload_cert.der download only contains the public key. The reason Google Play lets you download it for verification. You can verify offline your signatures match what the Play Store expects. You probably never need to do this.

Why doesn't Google give you the signing key?

Google Play doesn't give you the private key for the upload certificate for 2 reasons.

1. Google doesn't have the private part of your upload key! You created the private key part of the upload key, when you enrolled in Google Play App signing. You never gave it to Google. All Google has is the public key part.
2. If Google did give it to you, the key would have no value. The whole point of the upload key is that even if a hacker breaks into your Play Console account they still cannot upload a new version of your app. They would need the upload key as well. The upload key means Google Play knows the app came from you. If they let you download the signing key from your account, then a hacker could just download it too. Then it would be worthless.

How do I get the upload key I need for signing?

So now the question you probably have is "how do I get the public key I need for signing?". The answer is "you create it". When you first upload your APK, that APK was signed with a key (Google insists on it). It was probably stored in your Android Studio. That key becomes your upload key. Find where you kept it.

What if I lost it?

Now you might be in a place where you don't know where the key is that you originally used. This is the great thing about Google Play App Signing. If you were signing your app yourself and lost the signing key you would be stuck, you'd have to create a new app. But with Google Play App Signing you can contact Play Console support and they can help you. The process is on the help page.

Look at the section entitled "Create a new upload key". Notice step 1 is you create the key. Google still never has it.