There are two keys you needs. One is the App signing key, the master key used to sign your app. And the Upload key, which is an added layer of security on top of the original app signing key.
The app signing key can only be upgraded (i.e. generate a new one if old one is lost/compromised) once in an app’s lifetime. If you lose it twice, you’ll never be able to release updates for your app to the Play Store.
The upload key is an additional key that goes on top of the app signing key. Instead of using the master key every time, you start using the upload key to sign your app. If the upload key is lost/compromised, you can request a new one from Google as many times as you want.
You can either let Google handle the entire key generation process (generate both the app signing and the upload key), let Google handle part of the key generation process (Google does the upload key, you do the signing key), or you can generate both keys yourself and give them to Google in the formats it accepts.
The difference between letting Google generate the signing key and you doing it yourself is this:
if Google generates the key, you will not be able to see or download it. But you will be able to use the same key for all apps inside the Google Play store
you will also not be able to use the same signing key for app marketplaces other than Google Play Store (e.g. Amazon Appstore, Samsung Galaxy Apps, F-droid) because you wouldn’t be able to see or download it
Same app signing key means you can run multiple apps in the same process
Same signing key also means that you’ll be able to share data between multiple apps
Each app can only have its app signing key upgraded once in its lifetime. In the unlikely event that you have multiple apps using the same signing key specifically to run in the same process, you won’t be able to use key upgrade for those apps.
I am going to create my own signing key because i like having that control =) I am also going to generate the upload key myself and provide both to Google Play Store
keytool
At the end of this all you would have generated 4 files
1MYPROJECT_android_signing.keystore # You super secret app signing key
2MYPROJECT_android_signing_key.zip # Upload to Google Play
3MYPROJECT_android_upload_certificate.pem # Upload to Google Play
4MYPROJECT_android_upload.keystore # The upload key we'll always use, which if lost can be reset by Google on request
Generate two keys, one for app signing (master key), one for uploads to Play Store
1# Signing key
2keytool -genkeypair -v -keyalg RSA -keysize 4096 -validity 10000 \
3 -dname "cn=Jane Doe, ou=IT, o=Awesome Co., l=Lahore, st=Punjab, c=PK" \
4 -keystore "MYPROJECT_android_signing.keystore" \
5 -storepass "XXXXXXXXXXXXXXXXXXXXXXXXXX" \
6 -alias "MYPROJECT_android_signing_key"
1# Upload key
2keytool -genkeypair -v -keyalg RSA -keysize 4096 -validity 10000 \
3 -dname "cn=Jane Doe, ou=IT, o=Awesome Co., l=Lahore, st=Punjab, c=PK" \
4 -keystore "MYPROJECT_android_upload.keystore" \
5 -storepass "XXXXXXXXXXXXXXXXXXXXXXXXXX" \
6 -alias "MYPROJECT_android_upload_key"
Note down the keystore passwords and the key aliases, you’ll need these later.
I’m providing everything inside one command so it’s easier to script this key generation process. Otherwise it’ll prompt you for this information (password, organization details). If you don’t want to provide these details inside the command, you’ll run it like this
1keytool -genkeypair -v -keyalg RSA -keysize 4096 -validity 10000 -keystore KEYSTORE_OUTPUT_FILE.keystore -alias KEY_ALIAS
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: Jane Doe
What is the name of your organizational unit?
[Unknown]: IT
What is the name of your organization?
[Unknown]: Awesome Co.
What is the name of your City or Locality?
[Unknown]: Lahore
What is the name of your State or Province?
[Unknown]: Punjab
What is the two-letter country code for this unit?
[Unknown]: PK
Is CN=Jane Doe, OU=IT, O=Awesome Co., L=Lahore, ST=Punjab, C=PK correct?
[no]: yes
Generating 4,096 bit RSA key pair and self-signed certificate (SHA384withRSA) with a validity of 10,000 days
for: CN=Jane Doe, OU=IT, O=Awesome Co., L=Lahore, ST=Punjab, C=PK
[Storing KEYSTORE_OUTPUT_FILE.keystore]
keytool
is a part of JDK, and if you have setup your dev environment for Android it should already be in the path. You’ll get a prompt for setting the keystore password and then asked for some additional info about yur organization. Next it’ll ask you for a password for your key Alias
-genkeypair
generates a key pair (a public key and associated private key). It used to be named -genkey
in earlier version and is still supported, but the new name -genkeypair
is preferred going forward.-keystore
is the name of the output file for your keystore, in this case KEYSTORE_NAME.keystore
-keysize
is the size of the key, in this case 4096
. Default is 2048 (when using -genkeypair
and -keyalg
is “RSA”)-keyalg
is the key algorithm, in this case RSA
-validity
is in days. 9125 days is 25 years (default when you create a keystore with Android Studio). 10000 days is a little above 27 years.-storetype
is the format the keystore should be saved in. Default was JKS
up till JDK 8. Newer versions use PKCS12
.-alias
is the name of the key inside your keystore (one keystore can have multiple keys, you’d need to mention the alias of the key when you get to the signing part)Follow the instructions provided on screen during the App signing opt-in process
pepk.jar
file)1java -jar pepk.jar \
2 --keystore=MYPROJECT_android_signing.keystore \
3 --alias=MYPROJECT_android_signing_key \
4 --output=MYPROJECT_android_signing_key.zip \
5 --include-cert \
6 --encryptionkey=eb10fe8f7c7c9df715022017b00c6471f8ba8170b6471f8ba8170b13049a11e6c09ffe3056a104a34ba4fe93fc8cef27558a3eb9d2a529a2092761fb833b656cd48b9de6a
It’ll ask you for your keystore password and the key password. If you did not provide a password for your key during the generation of keystore then the key password is the same as the keystore password.
1Enter password for store 'MYPROJECT_android_signing.keystore':
2Enter password for key 'MYPROJECT_android_signing_key':
Follow the instructions provided on screen during the App signing opt-in process to convert your upload key to a PEM format
1keytool -export -rfc \
2 -keystore MYPROJECT_android_upload.keystore \
3 -alias MYPROJECT_android_upload_key \
4 -file MYPROJECT_android_upload_certificate.pem
Now upload both the .zip
and the .pem
to Google Play during the opt-in process