Use Play App Signing

With Play App Signing, Google manages and protects your app's signing key on the same secure infrastructure that Google uses to store its own keys. These keys are protected by Google’s Key Management Service (KMS). If you want to learn more about this industry-leading infrastructure, read the Google Cloud Security Whitepaper.

Why use Play App Signing? Beyond safeguarding your keys against permanent loss or compromise, enrolling in Play App Signing unlocks Play enhancements for your Android App Bundles (.aab). By letting Google sign the optimized distribution APKs generated from your app bundles, you gain access to valuable services like automatic protection and automatic strings translation using Gemini models. Games gain access to additional automatic services like Play Games Sidekick, Play-as-you-download, and free trials for paid titles.

To configure Play App Signing, you must be the account owner or have the Release to production, exclude devices, and use Play App Signing permission, and accept the Terms of Service.

Core concepts

When you use Play App Signing, you deal with two distinct keys. Understanding the difference—and their technical formats—is critical to avoiding authentication issues with third-party APIs.

Key type	Who holds it?	Technical details & purpose
Upload key	You (Keep this secure!)	Format: Stored in a Java keystore (`.jks` or `.keystore`). Requirement: Must be an RSA key of 2048 bits or more. Purpose: You use this key to sign your app bundle before uploading it to the Play Console. Google uses it to verify your identity. If compromised or lost, Google can reset this key for you.
App signing key	Google Play	Format: Associated with a public certificate (`.der` or `.pem`). Requirement: Google-generated keys are RSA 4096-bit. Custom keys must be RSA 2048-bit or higher. Purpose: Google uses this key to sign the final APKs delivered to users' devices. You can have Google generate this, or you can provide your own. This key cannot be reset if you manage it yourself (without Play App Signing) and lose it.

Note: For maximum security, your upload key and app signing key should be different.

How Google signs your app: When Google generates and signs your APKs with the app signing key, it uses apksigner to add two stamps to your app’s manifest (com.android.stamp.source and com.android.stamp.type). These stamps ensure your APKs are securely traceable to the original signer.

Set up Play App Signing

The setup process depends on whether you are publishing a new app or migrating an existing one.

For new apps

Create an upload key: Generate a keystore to sign your release app bundle. You can generate it in Android Studio or use the Java keytool utility from the command line.
Upload your app bundle: Go to your Play Console and prepare a new release. By default, when you upload your app bundle, Play App Signing automatically generates a cryptographically strong RSA 4096-bit key to manage and protect your app. Over 90% of new apps use this recommended default, and no further action is required to set it up.
Change your app signing key (optional): Advanced developers who want to manage their own key can change this default. You can do this by clicking Change signing key in the App integrity section of your release, or by navigating to Protected with Play > Play Store distribution > Go to Play app signing. You can then choose to:
- Use the same key as another app in this developer account.
- Provide a copy of your app signing key: First, download Google's public encryption key from the Play Console. Then, use the Play Encrypt Private Key (PEPK) tool (you can download the compiled tool or its source code directly from the Console to verify or build it yourself) to securely encrypt and upload your existing RSA key (2048-bit or higher) from any repository.

For existing apps

If you currently manage your own keys and upload APKs, you can upgrade to Play App Signing to take advantage of app bundles and Play enhancements.

Go to Protected with Play > Play Store distribution > Go to Play app signing in the Play Console.
Accept the terms of service, if you haven't already.
Transfer a copy of your original key: Download the PEPK tool and follow the unified step-by-step instructions to encrypt and upload your existing app signing key from any repository.

Create a new upload key (recommended): Generate a new key in Android Studio to use as your upload key going forward, and register its certificate in the Play Console.

Register with API providers

If your app uses APIs (like Google Maps, OAuth, or Facebook Login), those services authenticate your app using your app signing key's fingerprint.

Because Google signs the final APK, you must register the Google-held app signing key fingerprint with your API providers, not just your local upload key.

Go to Protected with Play > Play Store distribution > Go to Play app signing.
Scroll to the App signing key section.
Copy the required fingerprints (SHA-1 or SHA-256).
Paste these fingerprints into your API provider's console (for example, Google Cloud Console).
Tip: Update your assetlinks.json file with these fingerprints if you use Android App Links.

Manage your keys

Upgrade your app signing key

If your app signing key is compromised, or you need a cryptographically stronger key, you can request an annual key upgrade for all installs on Android N (API level 24) and above.

How enforcement works across Android versions:

Android T (API level 33) and above: The Android platform strictly enforces the usage of your upgraded key.
Android N (API level 24) to Android S (API level 32): The Android platform itself does not enforce the upgraded key and still recognizes the legacy signing key. However, Google Play Protect provides additional validation by checking that app updates are signed with your upgraded key (unless turned off by the user).

Important consideration:

Shared data: Because the platform does not enforce the upgraded key on Android S (API level 32) and below, if you use the same key across multiple apps to share data, those older Android versions will only recognize the legacy key for features like custom permission sharing.

How to upgrade:

Go to Protected with Play > Play Store distribution > Go to Play app signing.
Under the App signing key section, click Upgrade key.
Choose your upgrade path:
- Let Google Play generate a new app signing key (recommended)
- Use the same app signing key as another app in this developer account
- Provide a copy of your app signing key (following the instructions)
If providing your own key, generate and upload a "proof-of-rotation" using the apksigner tool (bundled with Android SDK Build Tools). (For details on the flags used here, see the apksigner command-line documentation):
- apksigner rotate --out /path/to/new/file --old-signer --ks old-signer-jks --set-rollback true --new-signer --ks new-signer-jks --set-rollback true
Click Save and register your new key fingerprints with your API providers.

Request an upload key reset

If you lose your upload key or suspect it was compromised, you are not locked out of your app.

Create a new upload key in Android Studio.
Export the certificate to PEM format:
keytool -export -rfc -keystore upload-keystore.jks -alias upload -file upload_certificate.pem
(For more help with keytool and keystore paths, refer to the Android Studio app signing guide).
Have your account owner request an upload key reset via the Play Console help form.
Upload your upload_certificate.pem when prompted.
Note: Resetting your upload key does not affect the app signing key or your users.

Best practices & alternative distribution

Security: Protect your Play Console access by enforcing 2-Step Verification for all users.
Play enhancements: Enrolling in Play App Signing unlocks access to Play enhancements for your app bundles. To receive the updates, first make any necessary changes when creating a new release, and then upload the new app bundle.
Distributing outside Google Play: If you distribute via other app stores and want to use the same signing key everywhere, you have two options. You can either let Google generate your app signing key and download a signed, universal APK from latest releases and bundles to distribute elsewhere (go to Test & release > Latest releases and bundles, select your app bundle, and click on the Downloads tab), or you can generate the app signing key you want to use for all app stores and transfer a copy of it to Google when you configure Play App Signing.
Testing: Use Internal App Sharing to test exactly what Google Play will deliver to users, or download device-specific APKs from the app bundle explorer and install them locally using adb install-multiple *.apk.
APK Signature Scheme v4: Play App Signing automatically uses v4 signing for eligible apps to support optimized distribution on Android 11+ devices. No action is required on your part. You can read more about the technical benefits in the APK Signature Scheme v4 documentation.
Self-hosted Google Cloud projects: If you have highly specific security requirements (for example, using OEM keys), you can use the Play Developer API to enrol in Play App Signing using a self-hosted Google Cloud project. Note: This is a non-standard setup that is not encouraged. Using a self-hosted project means you assume full responsibility for app signing operations and it prevents Google Play from performing essential features like disaster recovery.

Was this helpful?

How can we improve it?