Use app signing by Google Play

App signing provides a secure update mechanism for Android apps. Every Android app is signed cryptographically with a private key by its developer or Google Play. Every private key has an associated public certificate which any device or service can use to verify that the app was signed with a private key from a trusted source. This ensures that each app update is trustworthy, because the device will only accept the update if its signature matches the installed app’s signature. To learn more about app signing on Android, read Sign your app.

By opting in to app signing by Google Play, Google manages and protects your app's signing key for you, and uses it to sign your APKs for distribution. These are the benefits of app signing by Google Play:

  • Allows you to use the Android App Bundle and benefit from Google Play’s Dynamic Delivery. The Android App Bundle makes your app much smaller, your releases simpler, and makes possible dynamic features and instant experiences.

  • Increases the security of the key used to sign your app’s APKs, and makes it possible to use a separate upload key to sign the app bundle you upload to Google Play. By using a separate upload key you can request an upload key reset if your key is ever lost of compromised. If you’re not opted in to app signing with by Google Play and you lose your app’s signing key, you lose the ability to update your app.

Types of keys & definitions

Here are the important types of keys, artifacts, and tools you should understand:

  • App signing key: The key Google Play uses to sign the APKs that are delivered to a user's device. When you opt in to app signing by Google Play, you either upload an existing app signing key or you choose for Google Play to generate one for you. The app signing key can never change for the lifetime of your app as part of Android’s secure update model. The app signing key is private and must be kept secret. You can share the app signing key’s public certificate with anyone.

  • Upload key: The key you use to sign the app bundle or APK before you upload it to Google Play. The upload key must be kept secret. You can share the upload key’s public certificate with anyone. You may generate an upload key in one of the following ways:

    • If you choose for Google to generate the app signing key for you when you opt in, then the key you use to sign your first release is designated as your upload key.

    • If you provide the app signing key to Google when opting in your new or existing app, then you have the option to generate a new upload key during or after opting in for increased security.

    • If you do not generate a new upload key, you continue to use your app signing key as your upload key to sign each release.

To keep your keys secure, it’s a good idea to make sure your app signing key and upload key are different.
  • Certificate (.der or .pem): A certificate contains a public key and some extra identifying information about who owns the key. The public key certificate allows anyone to verify who signed the app bundle or APK. You can download the public certificate for your app signing key and your upload key from the App signing page in the Play Console in order to register your key(s) with API providers. The public key certificate can be shared with anyone. It does not contain your private key.

  • Certificate fingerprint - A short and unique representation of a certificate that is often requested by API providers alongside the package name to register an application to use their service. The MD5, SHA-1 and SHA-256 fingerprints of the upload and app signing certificates can be found on the App signing page of the Play Console. Other fingerprints can also be computed by downloading the original certificate (.der) from the same page.

  • Java keystore (.jks or .keystore) - A repository of security certificates and private keys

  • Play Encrypt Private Key (PEPK) tool: Use this tool to export private keys from a Java Keystore and encrypt them for transfer to Google Play. When providing the app signing key for Google to use, select the option to export and upload your key (and its public certificate if required) and follow the instructions to download and use the tool. If you prefer, you can download, review, and use the PEPK tool’s open source code.

How app signing by Google Play works

When you use app signing by Google Play, your keys are stored on the same infrastructure that Google uses to store its own keys. Keys are protected by Google’s Key Management Service, and you can learn more about Google’s technical infrastructure by reading the Google Cloud Security Whitepapers.

If you want to publish your apps using the Android App Bundle, you need to enroll in app signing by Google Play before uploading your app bundle.

App signing by Google Play is an optional program, so if you want to upload an APK instead of an app bundle, you can continue managing your own keys. However, if you lose your keystore or think it may be compromised, you won’t be able to update your app and will need to publish a new app with a new package name.   

Here’s how the signing process works:

  1. Sign your app bundle or APK and upload it to your Play Console.

  2. The next step depends on what you upload:

    • App bundle: Google generates optimized APKs from your app bundle and signs them with the app signing key.

    • APK signed with upload key: Google verifies and strips your signature from the APK, and then resigns the APK with the app signing key.

    • APK signed with app signing key: Google verifies the signature.

  3. Google delivers signed APK(s) to the user.

You can upload APKs signed with the original app signing key at any time before or after opting in to app signing by Google Play. One benefit of this is that it enables you to start testing your app bundle in the open, closed, or internal test tracks while you release your existing APK in production without app signing by Google Play. 

Permissions & access

If you're a Play Console account owner or a user with the global "Manage production releases" permission, you can opt in to app signing by Google Play. You'll need to accept the Terms of Service once per developer account. Once you've accepted the terms, you can enroll individual apps into the program.

Accepting the Terms of Service does not mean that all apps associated with your developer account will automatically be enrolled in app signing.

Opt in a new app

Step 1: Create an upload key

  1. To create an upload key for new apps, follow the instructions on how to sign your app.

  2. Sign your new APK with the upload key.

Step 2: Prepare & roll out your release

  1. Follow the steps to prepare & roll out your release.

  2. Once you choose the release track, configure app signing under the "Let Google manage and protect your app signing key" section.

  3. Select Continue to let Google manage your app signing key or Advanced options to choose the best option for your app.

  4. Choose the best app signing option for your app:

    • To have Google Play generate a key and sign your app, select Continue. The key you used to sign your first release becomes your upload key and should be used to sign future releases.

    • To use the same key as another app on your developer account, select Advanced options > Option 2 and choose the appropriate app.

    • To upload an existing app signing key, select Advanced options > Option 2-4 to choose the export and upload option that best suits your release process. Once your app signing key and its public certificate is uploaded, you can create an upload key or continue to use the app signing key as your upload key.

If you haven't already accepted the Terms of Service, you will be required to review the terms and select Accept to continue. If you choose not to opt in to app signing at this time, you can opt in an existing app at any time by following the instructions below.

Step 3: Register your app signing key with API providers

If your app uses any API, you will usually need to register the certificate of the key Google signs your app with for authentication purposes. This is usually done through the fingerprint of the certificate.

To find the certificate of the key Google uses to re-sign your APK for delivery:

  1. Sign in to your Play Console.

  2. Select an app.

  3. On the left menu, select Release management > App signing.

  4. From this page, you can copy the most common fingerprints (MD5, SHA-1 and SHA-256) of your app signing certificate. If the API provider requires a different type of fingerprint, you can also download the original certificate in DER format and run it through the transformation tools that the API provider requires.

Opt in an existing app

Step 1: Enroll in app signing by Google Play

  1. Sign in to your Play Console.

  2. Select an app.

  3. On the left menu, select Release management > App signing.

  4. If applicable, review the Terms of Service and select Accept.

Step 2: Send your original key to Google

To upload your original key to Google Play and create an upload key:

  1. Find your original app signing key.

  2. Sign in to your Play Console.

  3. Select an app.

  4. On the left menu, click Release management > App signing.

  5. Upload an existing app signing key. Select the export and upload option that best suits your release process.

Step 3. Create an upload key (recommended)

  1. Create an upload key and upload the certificate to Google Play, or continue to use the app signing key as your upload key.

  2. On the next screen, you'll be shown fingerprints of your app's certificate(s). For testing purposes, you may need to register the certificate of your upload key with API providers using the fingerprint of the certificate (in addition to registering your app signing key).

Step 4: Sign your next app update with the upload key

All updates to your existing app must be signed with your upload key.

  • If you didn’t generate a new upload key, then continue to use your original app signing key to sign each release before uploading it to Google Play. If you ever lose your app signing key, you can generate a new upload key and register it with Google to continue updating your app.

  • If you generated a new upload key, then use the new upload key to sign each release before uploading it to Google Play. Google checks that the release is signed with an upload key in order to verify your identity. If you ever lose or compromise your upload key, you can contact developer support to reset it

Create an upload key

For increased security, it's recommended to sign your app and future releases with a new upload key instead of your app signing key. You can either complete this step when you opt in to app signing by Google Play or you can visit Release management > App signing to start using an upload key later.

About your upload key

  • Your upload key is only registered with Google and is used to authenticate the identity of the app creator.

  • Your signature is removed from any uploaded APKs before being sent to users.

Upload key restrictions

  • The upload key must be an RSA key that's 2048 bits or more.

  • The following aren't supported: DSA keys, EC keys, or RSA keys that are less than 2048 bits.

Create an upload key

  1. Generate a new upload key and store it safely. Follow these instructions to generate a new upload key.

  2. Export the certificate for the newly generated upload key to PEM format. Ensure that you replace the underlined arguments:

$ keytool -export -rfc -keystore upload-keystore.jks -alias upload -file upload_certificate.pem

  1. Upload the certificate of your upload key to register it with Google when prompted.

Update your keystores

After you create an upload key, update your keystores. For example, you may want to check the following locations:

  • Local machine

  • Locked on-site server (varying ACLs)

  • Cloud machine (varying ACLs)

  • Dedicated secrets management services

  • (Git) repositories

Reset a lost or compromised private upload key

If you lost your private upload key or your private key has been compromised you can create a new one and contact the Google Play support team to reset the key.

Resetting your upload key will not affect the app signing key that Google Play uses to re-sign APKs before delivering to users.

Contact our support team

Our support team only accepts key reset requests from the Play Console account owner.

To contact us, the account owner can fill out this form. Make sure to attach the upload_certificate.pem file.

You'll receive an email once we've registered the new upload key. At that time, you can follow the steps listed above to update your keystores and API provider registration

Tips & best practices

  • If you also distribute your app outside of Google Play or plan to do it so in the future, you can generate the app signing key you want to use for every app store and then upload it to Google when you opt in to app signing by Google Play.

  • To protect your developer account, we recommend you turn on 2-Step Verification for all accounts with access to your Play Console.

  • After publishing an app bundle to a test track or the production track, you can visit the app bundle explorer to download a ZIP archive with all the APKs for a specific device. These APKs are signed with the app signing key. You can install the APKs contained in the ZIP archive on a device using the bundletool cmdline utility.

  • When you opt in to app signing by Google Play, generate a new upload key which is different from your app signing key for increased security.

  • If you ever lose or compromise your upload key, you can contact Google to reset it.

  • If you want to test the APK signed with the upload key, you will need to register your upload key with any service or API that uses your app's signature for authentication (like the Google Maps API or Facebook SDK). If you're using any Google API, you may want to register the upload certificate in the Google Cloud Console for your app.

Was this article helpful?
How can we improve it?