Use app signing by Google Play

With app signing by Google Play, Google manages and protects your app's signing key for you and uses it to sign your APKs for distribution. It’s a secure way to store your app signing key that helps protect you if your key is ever lost or compromised.

Important: To use Android App Bundles, the recommended app publishing format, you need to enrol in app signing by Google Play before uploading your app bundle on the Play Console.

To opt in, you need to be an account owner or a user with global 'Manage production releases' permissions, and you need to accept the Terms of Service. You can enrol apps into app signing by Google Play one at a time.

How it works

When you use app signing by Google Play, your keys are stored on the same infrastructure that Google uses to store its own keys. Keys are protected by Google’s Key Management Service. If you want to learn about Google’s technical infrastructure, read the Google Cloud Security Whitepapers.

Android apps are signed with a private key. To ensure that app updates are trustworthy, every private key has an associated public certificate that devices and services use to verify that the app is from a trusted source. Devices only accept updates when its signature matches the installed app’s signature. By letting Google manage your app signing key, it makes this process more secure.

Note: Using app signing by Google Play is optional. You can still upload an APK and manage your own keys instead of using an app bundle. However, if you lose your keystore or it becomes compromised, you won’t be able to update your app without publishing a new app with a new package name.

Descriptions of keys, artifacts & tools
Term Description
App signing key

The key Google Play uses to sign the APKs that are delivered to a user's device. When you opt in to app signing by Google Play, you can either upload an existing app signing key or have Google generate one for you.

The app signing key can never be changed for the lifetime of your app. Keep your app signing key secret, but you can share your app’s public certificate with others.

Upload key

The key you use to sign your app bundle or APK before you upload it on Google Play. Keep your upload key secret, but you can share your app’s public certificate with others. For security reasons, it’s a good idea to have app signing and upload keys that are different from each other.

There are two ways to generate an upload key:

  • Use your app signing key: If you have Google generate an app signing key when you opt in to app signing, the key that you use for your first release is also your upload key.
  • Use a separate upload key: If you provide your own app signing key when you opt in to app signing, you are given the option to generate a new upload key for increased security. If you don’t generate one, use your app signing key as your upload key to sign releases.
Certificate (.der or .pem)

A certificate contains a public key and extra identifying information about who owns the key. The public key certificate lets anyone verify who signed the app bundle or APK, and you can share it with anyone because it doesn’t include your private key.

To register your key(s) with API providers, you can download the public certificate for your app signing key and your upload key from the App signing page on the Play Console. The public key certificate can be shared with anyone. It doesn’t include your private key.

Certificate fingerprint

A short and unique representation of a certificate that is often requested by API providers with the package name to register an application to use their service.

The MD5, SHA-1 and SHA-256 fingerprints of the upload and app signing certificates can be found on the App signing page of the Play Console. Other fingerprints can also be computed by downloading the original certificate (.der) on the same page.

Java keystore (.jks or .keystore) A repository of security certificates and private keys.
Play Encrypt Private Key (PEPK) tool

A tool to export private keys from a Java keystore and encrypt them for transfer to Google Play.

When you provide the app signing key for Google to use, select the option to export and upload your key (and its public certificate if required) and follow the instructions to download and use the tool. If you prefer, you can download, review and use the PEPK tool’s open source code.

App signing process

You can upload APKs signed with the original app signing key before or after you opt in to app signing by Google Play.

If you’re starting to use Android App Bundles, you can test them in testing tracks while you use your existing APK in production. Here’s how the process works:

  1. Sign your app bundle or APK and upload it to your Play Console.
  2. Depending on what you upload, here’s how the signing process differs:
    • App bundle: Google generates optimised APKs from your app bundle and signs them with the app signing key.
    • APK signed with upload key: Google verifies and strips your signature from the APK, and then resigns the APK with the app signing key.
    • APK signed with app signing key: Google verifies the signature.
  3. Google delivers signed APKs to users.

Opt in to app signing by Google Play

New apps

Step 1: Create an upload key

  1. Following the instructions, create an upload key.
  2. Sign your new APK with the upload key.

Step 2: Prepare your release

  1. Follow the instructions to prepare and roll out your release.
  2. After you select a release track, configure app signing under the 'Let Google manage and protect your app signing key' section.
  3. Select Continue, which makes the generated key your upload key that you use to sign future releases, or Advanced options, which include:
    • Using the same key as another app on your developer account (Option 2).
    • Upload an existing app signing key (Option 2, 3 and 4): Choose the export and upload option that works best for you. After you upload your app signing key and its public certificate, you can create an upload key or continue using the app signing key as your upload key.

Note: You need to accept the Terms of Service and opt in to app signing to continue.

Step 3: Register your app signing key with API providers

If your app uses any APIs, you usually need to register the certificate of the key Google signs your app with for authentication purposes using the fingerprint of the certificate. Here’s where to find the certificate:

  1. Sign in to your Play Console.
  2. Select an app.
  3. At the left menu, select Release management > App signing.
  4. Copy the fingerprints (MD5, SHA-1 and SHA-256) of your app signing certificate.
    • If the API provider requires a different type of fingerprint, you can also download the original certificate in .der format and convert it using the transformation tools that the API provider requires.
Existing apps

Step 1: Enrol in app signing by Google Play

  1. Sign in to your Play Console.
  2. Select an app.
  3. At the left menu, select Release management > App signing.
  4. If you haven’t already, review the Terms of Service and select Accept.

Step 2: Send your original key to Google and create an upload key

  1. Locate your original app signing key.
  2. Sign in to your Play Console.
  3. Select an app.
  4. At the left menu, select Release management > App signing.
  5. Select the export and upload option that best suits your release process and upload an existing app signing key.

Step 3: Create an upload key (optional and recommended)

  1. Create an upload key and upload the certificate to Google Play.
    • You can also continue to use the app signing key as your upload key.
  2. Copy the fingerprints (MD5, SHA-1 and SHA-256) of your app signing certificate.
    • For testing purposes, you may need to register the certificate of your upload key with API providers using the certificate fingerprint and the app signing key.

Step 4: Sign your next app update with the upload key

When you release updates for your app, you need to sign them with your upload key.

  • If you didn’t generate a new upload key: Continue using your original app signing key to sign releases before you upload them to Google Play. If you lose your app signing key, you can generate a new upload key and register it with Google to continue updating your app.
  • If you generated a new upload key: Use your new upload key to sign releases before you upload them to Google Play. After you upload them, Google checks the release for an upload key to verify your identity. IF you lose your upload key, you can contact support to reset it.

Create an upload key & update keystores

For increased security, signing your app with a new upload key, instead of your app signing key, is recommended.

You can create an upload key when you opt in to app signing by Google Play, or you can create an upload key later by visiting Release management > App signing.

Here’s how to create an upload key:

  1. Follow the instructions on the Android Developers site. Store your key in a safe place.
  2. Export the certificate for the upload key to PEM format. Replace the following underlined arguments:
    • $ keytool -export -rfc -keystore upload-keystore.jks -alias upload -file upload_certificate.pem
  3. When prompted during the release process, upload the certificate to register it with Google.

When you use an upload key:

  • Your upload key is only registered with Google to authenticate the identity of the app creator.
  • Your signature is removed from any uploaded APKs before they’re sent to users.
Upload key restrictions
  • Must be an RSA key that's 2048 bits or more.
  • DSA, EC and RSA keys that are less than 2048 bits aren’t supported.
Update keystores

After you create an upload key, here are some locations that you may want to check and update:

  • Local machines
  • Locked on-site server (varying ACLs)
  • Cloud machine (varying ACLs)
  • Dedicated secrets management services
  • (Git) repositories

Upgrade your app signing key for new installs

In some circumstances, you can request an app signing key upgrade. Your new key is used to sign new installs and app updates. Your legacy app signing key is still used to sign updates for users who installed your app before the key upgrade.

Each app can only have its app signing key upgraded once in its lifetime. In the unlikely event that you have multiple apps using the same signing key specifically to run in the same process, you won’t be able to use key upgrade for those apps.

Here are a couple of reasons to request an app signing key upgrade:

  • You need a cryptographically stronger key.
  • Your app signing key has been compromised.

Note: Requesting an app signing key upgrade on the Play Console is unrelated to key rotation introduced in APK signature scheme v3 for Android P and above. This type of key rotation isn’t currently supported by Google Play.

Important considerations before requesting a key upgrade

Before requesting a key upgrade, it’s important to understand the changes that you may need to make once the upgrade is complete.

  • If you use the same app signing key for multiple apps in order to share data/code between them, you need to update your apps to recognise both your new and legacy app signing key certificates.
  • If your app uses APIs, make sure that you register the certificates for your new and legacy app signing key with API providers before publishing an update, to ensure that the APIs continue working. Certificates are available on the App signing page on the Play Console.  
  • If many of your users install updates via peer-to-peer sharing, they’ll only be able to install updates that are signed with the same key as the version of your app which they already have installed. If they’re unable to update their app because they have a version of your app that’s signed with a different key, they have the option of uninstalling and reinstalling the app to get the update.
Request a key upgrade for new installs
  1. Sign in to your Play Console.
  2. Select an app.
  3. On the left menu, select Release management > App signing.
  4. In the 'Upgrade your app signing key for new installs' card, select Request key upgrade.
  5. Select an option.
    • Depending on the option that you select, you may need to contact support to complete your request.
  6. Get Google to generate a new app signing key (recommended) or upload one.
    • After upgrading your app signing key, if you were using the same key for your app signing and upload key, you can continue using your legacy app signing key as your upload key or generate a new upload key.

Best practices

  • If you also distribute your app outside of Google Play or plan to later, you can generate the app signing key that you want to use for every app store, and then upload it to Google when you opt in to app signing by Google Play.
  • To protect your account, turn on 2-step Verification for accounts with access to your Play Console.
  • After publishing an app bundle to a test or production track, you can visit the app bundle explorer to download a ZIP archive with all of the APKs for a specific device. These APKs are signed with the app signing key, and you can install the APKs in the ZIP archive on a device using the bundletool command line utility.
  • For increased security, generate a new upload key that’s different from your app signing key.
  • If you want to test the APK signed with the upload key, you need to register your upload key with any service or API that uses your app's signature for authentication, such as the Google Maps API or Facebook SDK.
  • If you're using any Google API, you may want to register the upload certificate in the Google Cloud Console for your app.

Lost or compromised upload key?

If you’ve lost your private upload key, or it’s been compromised, you can create a new one and then ask your account owner to contact support to reset the key. When contacting support, make sure that your account owner attaches the upload_certificate.pem file.

After our support team registers the new upload key, you will receive an email, and then you can update your keystores and register your key with API providers.

Important: Resetting your upload key doesn’t affect the app signing key that Google Play uses to re-sign APKs before delivering them to users.

Was this helpful?
How can we improve it?