4

I created a keystore, created a key, and then signed my first app. I proceeded to upload the signed APK to the Google Play store, and multiple people have already downloaded the beta app. Since then, I have made some updates to my app and I need to upload a new APK. I use the Google Play App Signing. The certificate I initially signed my app with had the fingerprint [SHA1: 0A:...:1A].

I signed my updated app version with the SAME keystore and key combination. However, when I go to upload the new APK, I receive the error message "You uploaded an APK that is not signed with the upload certificate. You must use the same certificate. The upload certificate has fingerprint [SHA1: BB:...:31] and the certificate used to sign the APK you uploaded have fingerprint: [SHA1: 0A:...:1A]" then proceeds to talk about fingerprints. So I assume my issue is that I signed my APK under the "original" certificate I created alongside creating the key, and now I must use the "new" certificate from Google Play. I downloaded the "Upload Certificate" from the Google Play Console -> App Signing page, and verified the fingerprint is the same as the fingerprint being requested in the error ([ SHA1: BB:...:31 ]).

I imported the "Upload Certificate" into my keystore using Terminal command line "keytool -imporcert". My keystore now has 2 entries: My original key entry which is a "PrivateKeyEntry" with a certificate fingerprint [SHA1: 0A:...:1A], and then the imported certificate, which is a "trustedCertEntry" with the fingerprint [SHA1 BB:...:31], the same fingerprint as the Upload Certificate fingerprint.

I then attempted to sign my APK with the second key listed, which is a "trustedCertEntry". I received the error "Failed to read key >keyname< from store ">keystore<": trusted certificate entries are not password-protected. While signing, I entered a password, despite never actually giving the new key a password.

So my question is: what "password" am I supposed to be using? I have not found any documentation on Google's websites about using the "Upload Key" and I have found a few Stack Overflow questions regarding the Upload Key but no one has specifically addressed the matter. Usually, people redirect to "Just use the 'Generate Signed APK' button", but I would like to make clear: This option does not work.

Is there something I'm missing?

Brett Severin
  • 41
  • 2
  • 2
    Same experience. Unless I've severely misunderstood something, the GPAS process is ass backwards -- the keystore I use to sign my app with will be the _upload_ key, i.e. I provide that, and Google provides the _signing_ key / certificate. Since the signing certificate that I can download doesn't have a private key, I cannot sign with that. ("Trusted certificate entries are not password-protected.") – zyndor Sep 12 '17 at 11:45
  • Just to be sure, I've just created a test app entry, and enrolled it to GPAS. It had a signing certificate before I've supplied one or uploaded an APK. – zyndor Sep 12 '17 at 11:45
  • 3
    has anyone been able to get over the "Trusted certificate entries are not password-protected."? i have been stuck for days... – Samy Oct 25 '17 at 07:21
  • Been stuck here in pretty much the same situation myself. – Randall Arms Jan 28 '18 at 20:48
  • @Samy0.23 did you solve this issue? – artem Feb 06 '18 at 20:10
  • Has anyone figured this out? I'm stuck as well. "Trusted certificate entries are not password-protected" – Bassinator Jun 11 '18 at 18:31

0 Answers0