Manage your app signing keys

With app signing by Google Play, you can securely manage your app signing keys for new or existing apps. Keys are stored on the same secure infrastructure Google uses to store its own keys.

How app signing by Google Play works

For apps using Android App Bundles

App signing by Google Play is required for apps using app bundles. After you've opted in to app signing:

  1. Sign your app bundle and upload it to your Play Console.
  2. Google verifies your signature, removes the signature and processes the bundle to generate a base APK, configuration APK(s), and dynamic feature APKs (if applicable). To learn more, go to the Android Developers site.
  3. Google re-signs the APKs with the original app signing key that you provided and delivers your app to the user.

Google will not re-sign any of your existing or new APKs that are signed with the app signing key. This enables you to start testing your app bundle in the open, closed or internal test tracks while you release your existing APK in production without Google Play making any changes to it. 

If you upload and sign your APK with an upload key, Google will re-sign the APK with your deployment key.

For apps using APKs

When you upload an APK, app signing by Google Play is an optional program. If you prefer, you can continue managing your own keys.

If you lose your keystore or think that it may be compromised, app signing by Google Play makes it possible to request a reset to your upload key. If you're not enrolled in app signing by Google Play and you lose your keystore, you'll need to publish a new app with a new package name.

Permissions & access

If you're a Play Console account owner or a user with the global 'Manage production releases' permission, you can opt in to app signing by Google Play. You'll need to accept the Terms of Service once per developer account. Once you've accepted the terms, you can enrol individual apps into the program.

Note: Accepting the Terms of Service does not mean that all apps associated with your developer account will automatically be enrolled in app signing.

Types of keys & important definitions

  • App signing key: The key used to sign the APK that's on a user's device. You currently hold the app signing key and use it to sign your APKs. When you complete the program sign-up flow you will upload this key to Google.

  • Upload key (optional for existing apps): A new key you generate during your enrolment in the program. You will use the upload key to sign all future APKs prior to uploading them to the Play Console.
  • Private Key: For APK signatures, this is the key used to sign the APK. The private key must be kept secret.
  • Public Key: For APK signatures, this is the key used to verify the signature of an APK. The public key can be visible to everyone.
  • Certificate: A certificate contains a public key as well as some extra identifying information about who owns the key.
  • PEPK tool: Play Encrypt Private Key is a tool for exporting private keys from a Java Keystore and encrypting private keys for transfer to Google Play.

Tips & best practices

  • To protect your developer account, we recommend that you turn on 2-Step Verification for all accounts with access to your Play Console.
  • If you want to test the APK signed with the upload key, you will need to register your upload key with any service or API that uses your app's signature for authentication (like the Google Maps API or Facebook SDK). If you're using any Google API, you may want to register the upload certificate in the Google Cloud Console for your app.

Overview

Before you get started, watch the app signing overview video on the Android Developers Blog.

New apps

Step 1: Create an upload key
  1. To create an upload key for new apps, follow the instructions on sign your app.
  2. Sign your new APK with the upload key.

About your upload key

  • Your upload key is only registered with Google and is used to authenticate the identity of the app creator.
  • Your signature is removed from any uploaded APKs before being sent to users.

Upload key restrictions

  • The upload key must be an RSA key that's 2,048 bits or more.
  • The following aren't supported: DSA keys, EC keys or RSA keys that are less than 2,048 bits.
Step 2: Prepare your release
  1. Go to your Play Console.
  2. Select an app.
  3. On the left menu, select Release management > App releases.
  4. Next to 'App signing by Google Play', select Accept.
Step 3: Upload your signed app
  1. Follow the steps to prepare & roll out a release.
  2. Before the app is delivered to users, Google Play will remove your upload key signature and re-sign with a new key.
Step 4: Register your app signing key with API providers

If your app uses any API, you will usually need to register the certificate of the key Google signs your app with for authentication purposes. This is usually done through the fingerprint of the certificate.

To find the certificate of the key Google uses to re-sign your APK for delivery:

  1. Sign in to your Play Console.
  2. Select an app.
  3. On the left menu, click Release management > App signing.
  4. From this page, you can copy the most common fingerprints (MD5, SHA-1 and SHA-256) of your app signing certificate. If the API provider requires a different type of fingerprint, you can also download the original certificate in DER format and run it through the transformation tools that the API provider requires.

Existing apps

Step 1: Opt into the program

To opt in an app:

  1. Sign in to your Play Console.
  2. Select an app.
  3. On the left menu, click Release management > App signing.
  4. Review the Terms of Service and select Accept.
Step 2: Send your original key to Google & create an upload key

To upload your original key to Google Play and create an upload key:

  1. Find your original app signing key.
  2. Sign in to your Play Console.
  3. Select an app.
  4. On the left menu, click Release management > App signing.
  5. Follow the on-screen instructions to transfer your original app signing key. 
    • Optional: You can also generate an upload key and register it with Google.
  6. On the next screen, you'll be shown a fingerprint of your app's certificate.

About your upload key

  • Your upload key is only registered with Google and is used to authenticate the identity of the app creator.
  • Your upload key is removed from any uploaded APKs before being sent to users.

Upload key restrictions

  • The upload key must be an RSA key that's 2,048 bits or more.
  • The following aren't supported: DSA keys, EC keys or RSA keys that are less than 2,048 bits.

Optional steps if you create an upload key

Step 3: Update your keystores

After you create an upload key, update your keystores. For example, you may want to check the following locations:

  • Local machine
  • Locked on-site server (varying ACLs)
  • Cloud machine (varying ACLs)
  • Dedicated secrets management services
  • (Git) repositories
Step 4: Sign your next app update with the upload key

All updates to your existing app must now be signed with your upload key. This will allow Google to verify your identity. Google will re-sign your APK before delivering the update to users. 

To find your app's upload key: 

  1. Sign in to your Play Console.
  2. Select an app.
  3. On the left menu, click Release management > App signing.

Create a new upload key

If you're enrolled in-app signing, you can create a new upload key if:

  • You lost your private key
  • Your private key has been compromised
  • You didn't originally create an upload key for an existing app

Note: Resetting your upload key will not affect the app signing key that Google Play uses to re-sign APKs before delivering to users.

Step 1: Generate a new private key and upload certificate

To generate and register a new upload key, follow the instructions in the Android Studio Help Centre. The new key must be different than your previous key.

Then, export the certificate for the new key to PEM format:

keytool -export -rfc -alias <upload> -file <upload_certificate.pem> -keystore <keystore.jks>

Step 2: Contact our support team

Our support team only accepts key reset requests from the Play Console account owner.

To contact us, the account owner can fill in this form. Make sure that you attach the upload_certificate.pem file.

You'll receive an email once we've registered the new upload key. At that time, you can follow the steps listed above to update your keystores and API provider registration.

Was this article helpful?
How can we improve it?