Search
Clear search
Close search
Google apps
Main menu

Manage your app signing keys

With Google Play App Signing, you can securely manage your app signing keys for new or existing apps. Keys are stored on the same secure infrastructure Google uses to store its own keys.

If you lose your keystore or think it may be compromised, Google Play App Signing makes it possible to request a reset to your upload key. If you're not enrolled in Google Play App Signing and lose your keystore, you'll need to publish a new app with a new package name.

About Google Play App Signing

Without Google Play App Signing: You sign the app with your app signing key, upload your app to Google Play and then your app is delivered to the user.

With Google Play App Signing: You sign your app with your upload key. Then, Google verifies and removes the upload key signature. Finally, Google re-signs the app with the original app signing key that you provided and delivers your app to the user.

Important: App Signing opt-in is permanent

Google Play App Signing is an optional program. If you prefer, you can continue managing your own keys.

Once you've enrolled your app in Google Play App Signing, withdrawal is not supported. To preserve the security of your app signing keys, we don't have the ability to remove keys from the secure server.

Types of keys & important definitions

  • App signing key: The key used to sign the APK that's on a user's device. You currently hold the app signing key and use it to sign your APKs. When you complete the program sign-up flow you will upload this key to Google.
  • Upload key: A new key that you generate during your enrolment in the program. You will use the upload key to sign all future APKs prior to uploading them to the Play Console.
  • Private Key: For APK signatures, this is the key used to sign the APK. The private key must be kept secret.
  • Public Key: For APK signatures, this is the key used to verify the signature of an APK. The public key can be visible to everyone.
  • Certificate: A certificate contains a public key as well as some extra identifying information about who owns the key.
  • PEPK tool: Play Encrypt Private Key is a tool for exporting private keys from a Java Keystore and encrypting private keys for transfer to Google Play as part of enrolling in Google Play App Signing.

Tips & best practices

  • To protect your developer account, we recommend that you turn on 2-Step Verification for all accounts with access to your Play Console.
  • If you want to test the APK signed with the upload key, you will need to register your upload key with any service or API that uses your app's signature for authentication (like the Google Maps API or Facebook SDK). If you're using any Google API, you may want to register the upload certificate in the Google Cloud Console for your app.

Overview

Before you get started, watch the app signing overview video on the Android Developers Blog.

New apps

Step 1: Create an upload key
  1. To create an upload key for new apps, follow the instructions on sign your app.
  2. Sign your new APK with the upload key.

About your upload key

  • Your upload key is only registered with Google and is used to authenticate the identity of the app creator.
  • Your signature is removed from any uploaded APKs before being sent to users.

Upload key restrictions

  • The upload key must be an RSA key that's 2,048 bits or more.
  • The following aren't supported: DSA keys, EC keys or RSA keys that are less than 2,048 bits.
Step 2: Prepare your release

Prerequisite: If you're a Play Console account owner, you can opt in to Google Play App Signing. You'll need to accept the Terms of Service once per developer account. Once you've accepted the terms, you can enrol individual apps into the program.

  1. Go to your Play Console.
  2. Select an app.
  3. On the left menu, select Release management > App releases.
  4. Next to 'Google Play App Signing', select Accept.
Step 3: Upload your signed app
  1. Follow the steps to prepare & roll-out a release.
  2. Before the app is delivered to users, Google Play will remove your upload key signature and re-sign with a new key.
Step 4: Register your app signing key with API providers

If your app uses any API, you will usually need to register the certificate of the key Google signs your app with for authentication purposes. This is usually done through the fingerprint of the certificate.

To find the certificate of the key Google uses to re-sign your APK for delivery:

  1. Sign in to your Play Console.
  2. Select an app.
  3. On the left menu, click Release management > App signing.
  4. From this page, you can copy the most common fingerprints (MD5, SHA-1 and SHA-256) of your app signing certificate. If the API provider requires a different type of fingerprint, you can also download the original certificate in DER format and run it through the transformation tools that the API provider requires.

Existing apps

Step 1: Opt into the program

Prerequisite: If you're a Play Console account owner, you can opt in to Google Play App Signing. You'll need to accept the Terms of Service once per developer account. Once you've accepted the terms, you can enrol individual apps into the program.

To opt-in an app:

  1. Sign in to your Play Console.
  2. Select an app.
  3. On the left menu, click Release management > App signing.
  4. Review the Terms of Service and select Accept.
Step 2: Send your original key to Google & create an upload key

To upload your original key to Google Play and create an upload key:

  1. Find your original app signing key.
  2. Sign in to your Play Console.
  3. Select an app.
  4. On the left menu, click Release management > App signing.
  5. Follow the on-screen instructions to transfer your original app signing key, generate an upload key and register the upload key with Google.
  6. On the next screen, you'll be shown a fingerprint of your app's certificate.

About your upload key

  • Your upload key is only registered with Google and is used to authenticate the identity of the app creator.
  • Your upload key is removed from any uploaded APKs before being sent to users.

Upload key restrictions

  • The upload key must be an RSA key that's 2,048 bits or more.
  • The following aren't supported: DSA keys, EC keys or RSA keys that are less than 2,048 bits.
Step 3: Update your keystores

After you create an upload key, update your keystores. For example, you may want to check the following locations:

  • Local machine
  • Locked on-site server (varying ACLs)
  • Cloud machine (varying ACLs)
  • Dedicated secrets management services
  • (Git) repositories
Step 4: Sign your next app update with the upload key

All updates to your existing app must now be signed with your upload key. This will allow Google to verify your identity. Google will re-sign your APK before delivering the update to users. 

To find your app's upload key: 

  1. Sign in to your Play Console.
  2. Select an app.
  3. On the left menu, click Release management > App signing.

Modifications to your APK

Apps that are signed by Google will have a 'derived APK ID' written into their AndroidManifest.xml file. You'll see a meta-data element added under the application tag that references <meta-data android:name="com.android.vending.derived.apk.id" android:value="[ID]" />.

This ID is the identifier of the modified APK and will be reported in the usual bug reporting tools. You can use the derived APK ID to recognise a specific APK that was delivered by Play.

To download the Google Play signed APK in your Play Console, go to Release managementArtifact library.

Lost or compromised private keys

If you're enrolled in Google Play App Signing, you can reset your upload key if:

  • You lost your private key, or
  • Your private key has been compromised

Note: Resetting your upload key will not affect the app signing key that Google Play uses to re-sign APKs before delivering to users.

Reset your upload key

Step 1: Generate a new private key and upload certificate

To generate and register a new upload key, follow the instructions in the Android Studio Help Centre. The new key must be different than your previous key.

Then, export the certificate for the new key to PEM format:

keytool -export -rfc -alias <upload> -file <upload_certificate.pem> -keystore <keystore.jks>

Step 2: Contact our support team

Our support team only accepts key reset requests from the Play Console account owner.

To contact us, the account owner can fill out this form. Make sure to attach the upload_certificate.pem file.

You'll receive an email once we've registered the new upload key. At that time, you can follow the steps listed above to update your keystores and API provider registration.

Was this article helpful?
How can we improve it?