Recover And Republish Your Lost Android Keystore File

Recover And Republish Your Lost Android Keystore File

Google App Signing manages and protects your app’s signing key for you and uses it to sign your APKs for distribution. In this way, the Keystore file is stored and secured in Google Play. You can find detailed information about how to enable Google App Signing for your application from here.

In this post, I will explain the most powerful side of the app signing feature which is able to recover the lost Keystore files. If you manage the Keystore file yourself, it is impossible to update your app with a new version once you lost that Keystore. Currently, App Signing is the only way to update your application when you lost your Keystore.

You can save your application in three steps:

1. Create a new ‘keystore.jks’ file

You can create a new ‘keystore.jks’ file either from the AndroidStudio software or command-line interface. However, AndroidStudio(version: 3.6.1) currently creates a Keystore file which is not in industry-standard format PKCS12. It is recommended to migrate to PKCS12 format. If you already created a Keystore file you can migrate it to PKCS12 format using:

keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.jks -deststoretype pkcs12

This command creates a new Keystore file and renames the old one with adding ‘.old’ suffix, ‘keystore.jks’ to ‘keystore.old.jks’.

Apart from that, you can create a new Keystore in industry-standard using the command-line interface:

keytool -genkeypair -alias prod -keyalg RSA -keysize 2048 -validity 9125 -keystore keystore.jks

This key must be a 2048 bit RSA key and have 25-year(9125 days) validity.

2. Export certificate for that new Keystore file to PEM format

Once you have a Keystore file, generate a certificate in PEM format which will be used for resetting the upload key by Google. The new upload key will be used to sign APKs that you upload to Google Play. You can export certificate using:

keytool -export -rfc -alias prod -file upload_certificate.pem -keystore keystore.jks

3. Send a request to Google for updating the upload key

Now, you need to send the generated certificate to google using this form:

In the form, fill your app-related information then choose the ‘I have a key or keystore related issue’ -> ‘I have an upload key-related issue’ -> ‘I lost my upload key’ respectively and explain your problem with a couple of sentences like ‘I lost my Keystore file and I want to reset my upload key. You can find the new certificate in the attachment.’. Finally, attach the ‘upload_certificate.pem’ file and post the form.

Google accepted the bugs/requests/feedbacks from a single page when I was writing this article. Now, they created a separate page to accept only the key store-related issues. I already updated the link that I gave above but the images are from the old form. So, please don’t be confused.

That’s all. They will reset your upload key in 12–48h and you will be able to update your application with the new keystore file. The Google Play team will send an email when the new upload key is enabled.

Once you have received that mail, you can update your application. By the way, they respond to me in 6 hours! MD5 and SHA1 keys are just for clarification. Those keys should be the same as the fingerprints are generated from your new keystore file. You can check it via:

keytool -list -v -alias prod -keystore keystore.jks...
Certificate fingerprints:
SHA1: 88:1F:C8:BF:CF:EE:C9:23:98:C2:57:FA:4C:2F:61:1A:F1:A7:2B:A2


source @farukcankaya

- Last updated 3 weeks ago

Be the first to leave a comment.

You must login to leave a comment