How to generate 11 char hash key for Sms Retriever with Google App signing

Question

I had generated the 11 char hash using the AppSignatureHelper class. But after uploading the apk to play store, they hash doesn't work anymore. And I found out that Play replaces the key with another one which is why the hash gets changed as well. Now I'm having trouble getting the 11 char hash key.

I don't know how to use the commands given by Google. I found this command from here

Since, Play App signing is enabled for my app, I'll have to use this command,

I've replaced keytool with its path from the JDK's bin folder but then it was saying xxd was not recognized so I downloaded it from a website now it's saying tr is not recognized, I guess it'll say that for cut as well.

Please pardon me if it seems too noob of me asking it, but how can I resolve this?

UPDATE: I've tried the second command from above on a linux machine, the command worked and gave me 11 character hash but still the SMS Retriever is not working.

SOLUTION: With the help of Nick Fortescue's answer, I downloaded the DER formatted file. Then converted it to a .jks file using the following command,

keytool -importcert -alias myalias -file deployment_cert.der -keystore certificate.jks -storepass mypassword

Then performed the first command from above on certificate.jks and it worked!

How to generate hash into windows machine, because I am also facing same issue. xxd, tr, ... not recognized. — Ankit Kumar Singh, Dec 03 '18 at 07:46
@AnkitKumarSingh I used Linux. I don't know how to do it on Windows. — Farhan Farooqui, Dec 04 '18 at 08:14
@AnkitKumarSingh You can use bash terminal to execute that command on Windows. — Rafay Ali, Jan 09 '19 at 11:22
can someone please explain do I need to replace MyProductionKeys.keystore with my keystore or it's a part of command — Hemendra Khatik, Oct 26 '21 at 06:40

score 63 · Accepted Answer · edited Apr 30 '19 at 11:58

63

Here is the complete step by step guide .

Go to play console -> open app -> Release management -> App Signing -> Download Certificate . Like in below screen shot

This will give you deployment_cert.der file

Convert the deployment_cert.der file to a .jks file

use below command

keytool -importcert -alias YOUR_ALIAS -file deployment_cert.der -keystore certificate.jks -storepass YOUR_PASSWORD

Replace YOUR_ALIAS,YOUR_PASSWORD with yours which used in keystore . In place of deployment_cert.der use complete path if required

After entering this command it will ask

Trust this certificate? [no]: yes

type yes and click enter . It will show message

Certificate was added to keystore

This will generate a new file certificate.jks

Now in terminal enter command

keytool -exportcert -alias YOUR_ALIAS -keystore certificate.jks | xxd -p | tr -d "[:space:]" | echo -n YOUR_PACKAGE `cat` | sha256sum | tr -d "[:space:]-" | xxd -r -p | base64 | cut -c1-11

Replace YOUR_ALIAS,YOUR_PACKAGE with yours which used in keystore,project . In place of certificate.jks use complete path if required

it will ask for password

Enter keystore password: mypassword

enter your password and you will get the hash .

EDIT For MacOS users:

If you're using MacOS you can install sha256sum by installing coreutils like this:

brew install coreutils

Or you can use shasum -a 256 instead of sha256sum like this:

Credits to Abhinav Gupta and Op of this question Farhan Farooqui and above answer from Nick Fortescue

edited Apr 30 '19 at 11:58

Hassan Warrag

48
6

answered Apr 24 '19 at 12:05

Manohar

22,116
9
108
144

3

The perfect solution, Works!! Thanks. I had to read a bunch of app's signing process to get my head around it. – Racer May 03 '19 at 12:06
1

Hi I'm getting following error, keytool error: java.lang.Exception: Public keys in reply and keystore don't match – Sachin Oct 23 '19 at 10:09
7

for me hashstring not generating after entering the password in mac – M.Yogeshwaran Nov 26 '19 at 09:49
2

I followed all the steps and got the hash key. I added the hash key to my SMS. But still, it is not working on play store apk. – Pawan asati Jan 28 '20 at 09:40
May be you entered wrong password in the last step , use your jks/keystore password – Manohar Jan 28 '20 at 10:52
7

for mac if doesn't work, replace it with – JainAnk Sep 15 '20 at 03:09
How do I get the hash key if my app is still in development and I did not signin with Google? – Akshay kumar Oct 09 '20 at 04:31
1

@Akshaykumar see https://stackoverflow.com/questions/53849023/android-sms-retriever-api-computing-apps-hash-string-problem – Manohar Oct 09 '20 at 05:31
1

It does not ask `password` for me, and shows error: `tr: write error` – Kuvonchbek Yakubov Nov 16 '20 at 08:44
make sure your the command, ALIAS, Application id are correct . – Manohar Nov 16 '20 at 08:55
@ManoharReddy it showed `hashCode` but release version still is not getting SMS – Kuvonchbek Yakubov Nov 16 '20 at 09:59
If it didn't ask for password then it will give wrong value . Only with correct password you will get right hashcode – Manohar Nov 16 '20 at 10:01
You won't need to download certficate from Play Console if you have already jks or extensionless keystore file. Use it to get the hash key. – Egemen Hamutçu Feb 05 '21 at 18:18
Help! Stuck after entering password. – Akbar Pulatov Jun 17 '22 at 10:53
I have the same problem as @KuvonchbekYakubov. – Ahmed Nabil Jul 19 '22 at 13:42

score 13 · Answer 2 · answered Feb 14 '19 at 00:57

13

As default bash commands were not working for me and I needed to generate hashes for both local keystore and Google Play certificate, I wrote my own Ruby script for that: https://github.com/michalbrz/sms-retriever-hash-generator/blob/master/google_play_sign.rb

Then generating hash with Google Play signing is just:

ruby google_play_sign.rb --package com.your.app --google-play-key deployment_key.der

where deployment_key.der is certificate downloaded from Google Play as in Nick's response.

Under the hood it transforms Google Play cert into keystore and basically does what other suggested bash commands do, but wraps it in something easier to use.

answered Feb 14 '19 at 00:57

michalbrz

3,354
1
30
41

I'm getting this doing your command, some suggestion why I can't get the hash: ruby google_play_sign.rb --package com.xxxx.xxxx --google-play-key deployment_key.der Traceback (most recent call last): 2: from google_play_sign.rb:86:in `
' 1: from google_play_sign.rb:59:in `der_to_keystore' google_play_sign.rb:59:in ``': No such file or directory - keytool -importcert -alias myalias -file deployment_key.der -keystore gp_imported_keystore_temp.jks -storepass mypassword -noprompt (Errno::ENOENT)
– S.P. Apr 16 '19 at 08:21
@S.P. Simple explanation would be that your `deployment_key.der` doesn't exists. Are you sure you are putting correct path there? If you're sure, you can check if command `keytool -importcert -alias myalias -file DER_FILE_PATH -keystore gp_imported_keystore_temp.jks -storepass pwd -noprompt` would work for you - of course you should substitute DER_FILE_PATH with real path. – michalbrz May 04 '19 at 15:42

score 9 · Answer 3 · answered Jul 17 '18 at 07:39

9

In the help documents for Google Play App Signing it has a section "New Apps". Step 4 in this section is:

Step 4: Register your app signing key with API providers If your app uses any API, you will usually need to register the certificate of the key Google signs your app with for authentication purposes. This is usually done through the fingerprint of the certificate.

To find the certificate of the key Google uses to re-sign your APK for delivery:

Sign in to your Play Console.

Select an app.

On the left menu, click Release management > App signing.

From this page, you can copy the most common fingerprints (MD5, SHA-1 and SHA-256) of your app signing certificate. If the API provider requires a different type of fingerprint, you can also download the original certificate in DER format and run it through the transformation tools that the API provider requires.

Download the original certificate in DER format and then use your command on that certificate.

answered Jul 17 '18 at 07:39

Nick Fortescue

13,530
1
31
37

Hi, thanks for your reply. I've found the DER formatted file, Now I just have to replace `MyProductionKeys.keystore` with the DER file's path in the command? – Farhan Farooqui Jul 17 '18 at 08:47
I had used the SHA-256 before and tried to get the 11 char Hash, but that doesn't work either, SMS Retriever can't detect it – Farhan Farooqui Jul 17 '18 at 08:48
I got below error : keytool error: java.lang.Exception: Public keys in reply and keystore don't match – sandeepmaaram Dec 05 '18 at 07:07
1

`keytool -exportcert -alias MyAndroidKey -keystore MyProductionKeys.keystore | xxd -p | tr -d "[:space:]" | echo -n com.example.myapp `cat` | sha256sum | tr -d "[:space:]-" | xxd -r -p | base64 | cut -c1-11` this command needs alias which is not provided with Play provided DER file. – Vipul Asri Jan 16 '19 at 05:04
Use alias you used in main keystore file – Manohar Apr 24 '19 at 11:59

0case · Answer 4 · 2022-09-15T14:35:56.427

These steps worked for me on Mac:

Upload a build (need not be functional) and release to at least internal testing track.
Download app signing certificate from google play console (setup (left sidebar navigation) > App Integrity > App Signing):
Go to downloads folder and run the following commands:

cd ~/Downloads

➜ keytool -importcert -alias my-upload-key-alias -file deployment_cert.der -keystore certificate.jks -storepass notARealPassword

...

Trust this certificate? [no]:  yes
Certificate was added to keystore

➜ keytool -exportcert -alias my-upload-key-alias -keystore certificate.jks | xxd -p | tr -d "[:space:]" | xargs echo -n com.myapp | shasum -a 256 | tr -d "[:space:]-" | xxd -r -p | base64 | cut -c1-11
Enter keystore password: notARealPassword
6bAhwera2r5

6bAhwera2r5 is your 11 char hash key which you can use for SMS Retriever feature.

Append the hash to the end of sms that want to be autodetected and content to be passed to you app by android. Example template:

<#> Dear customer, {#var#} is your one time password for AppName account verification. 6bAhwera2r5

this template is compliant with Indian DLT rules.

score 3 · Answer 5 · answered Nov 20 '19 at 07:16

I know I replied very late. But I got the solution for this.

First follow the steps given by Manoher Reddy as above.

If this not work, try following alternate solution, it worked for me in various apps:

provide the play store generated hash to backend. For generating hash key on playstore, i have used AppSignatureHelper class and make Toast for the generated hash key and upload this build on play store. After successfully rollout, i have download the build. Now Toast will show with the playstore generated hash key, provide this key to backend. It is working fine for me.

yes, unfortunalty my log was enabled and it was printed new key(with appSignatureHelper calss) with play store apk and its woking fine — PNR, Aug 07 '20 at 10:20

score 1 · Answer 6 · answered Oct 14 '22 at 06:37

Go to play console -> open app ->App integrity -> App signing

EDIT For MacOS users: If you're using MacOS you can install sha256sum by installing coreutils like this:

brew install coreutils

Or you can use shasum -a 256 instead of sha256sum like this:

score 0 · Answer 7 · answered Dec 19 '18 at 12:03

try this

C:\Program Files\Java\jdk1.8.0_25\bin> keytool -exportcert -alias *Alias -keystore *keystorePath | C:\OpenSSL\bin\openssl.exe sha1 -binary | C:\OpenSSL\bin\openssl.exe base64

replace *Alias with your alias and *keystorePath with your kestore location. Also put right path of openssl.exe if its installed to another directory

score -1 · Answer 8 · answered Feb 15 '19 at 14:08

I found all those commands and the process itself a little bit messy (I also have projects with 4 environment with 4 different packages), so what I did is to include the hash on the payload from the client when the client request a OTP, then the server save it (trust on first use) for manual review on the content management system. Didn't find any security aspect using this method

How to generate 11 char hash key for Sms Retriever with Google App signing

8 Answers8

EDIT For MacOS users:

Linked