"Your Android App Bundle uses an upload certificate with a key that is too weak."

Question

I got the following message in the Google Play Developer Console when I was trying to upload my app bundle after creating it using Android Studio Canary:

Your Android App Bundle uses an upload certificate with a key that is too weak.

I couldn't find any documentation about that. What is considered "weak" certificate?

Answer 1

This problem is caused by trying to upload an .AAB for a new application. One method to avoid this problem is using the same certficate registered in your Google Account for another app.

Go to Change app signing key

select Use the same key as another app in the developer account and select one app from your developer account:

Answer 2

Use SHA256withRSA because sha1 is the old certificate

$ keytool -genkey -v -keystore signed.keystore -alias name_app -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -validity 10000

Then check the fingerprint

keytool -list -alias name_app -keystore signed.keystore

Superb. Now you get the standard certificate without any warnings

Answer 3

I had the same problem and it was because I was using RSA 1024 and the requirement is 2048 at least. After change, the signing was uploaded successfully.

Step "6", Key: https://developer.android.com/studio/publish/app-signing#generate-key

Answer 4

I also found the same error message within the google play console, when first uploading a new app signed with an existing keystore key.

To try and understand why my key was insecue I found the requirements from google for a signing key. Key requirements

Google ask that the key:

• Must be an RSA key that's 2048 bits or more.
• DSA, EC and RSA keys that are less than 2048 bits aren’t supported.

It is possible to check this using the program keytool. Using keytool

• keytool -list -alias <your-key-name> -keystore <path-to-production-keystore>

After I did this, I got an error to say my jkskey was considered a security risk and I could see that the certificate was only 1024-bit.

The certificate uses the SHA1withRSA signature algorithm which is considered a security risk. This algorithm will be disabled in a future update.
The certificate uses a 1024-bit RSA key which is considered a security risk. This key size will be disabled in a future update.
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore x.keystore -destkeystore x.keystore -deststoretype pkcs12".

I then did two things:

• Updated the keystore using the recommendated function in the warning message.
• Added a new alias within android studio.

Note: If you perform the jks update and keep the src and dest the same, it will backup the old key as well.

Migrated "x.keystore" to PKCS12. The JKS keystore is backed up as "x.keystore.old".

Answer 5

I'm using Unity to build my game. I had that exact same problem. Here's how I solved it:

• Delete the Draft in Google console

• Build an APK with my upload key

• Upload the APK to Google console

• Build the AAB with that upload key

• Now upload the AAB file, and it magically works

When it comes to Android, I know absolutely nothing what I'm doing. I tried the above and it worked for me, so I share, hope it'll work for you too :D

Answer 6

I solved the problem just now by following the following link. (Android Studio)

• Sign your app (https://developer.android.com/studio/publish/app-signing)

• Follow the instructions in section Generate a key and keystore to generate a bundle. Remember the Build Type has to be release. (Don't use Build/Build Bundles/APKs. Use the step 5 in the above link or Build/Generate signed Bundles/APKs...)

• Go back to Google Play Console to upload the YourProject/app/release/release/aap.aab.