Upload failed with signing error for new version of an app on Google Play

Question

For now three of my apps on Google Play I had a signing error like this when trying to upload a new version in the last few days:

Upload failed You uploaded an APK that is signed with a different certificate to your previous APKs. You must use the same certificate. Your existing APKs are signed with the certificate(s) with fingerprint(s):

[ SHA1: 87:17:A3:71:CD:CF:D6:73:71:56:B1:59:DE:89:6D:5A:E0:EE:31:8A,SHA1: 4C:45:1E:30:2D:04:F4:DC:36:0E:EF:29:1B:1E:E1:02:C0:E8:E9:85 ]

and the certificate(s) used to sign the APK you uploaded have fingerprint(s):

[ SHA1: 87:17:A3:71:CD:CF:D6:73:71:56:B1:59:DE:89:6D:5A:E0:EE:31:8A ]

I double-checked the keystore and it is the one I always used. In fact some of the apps have a pro version that use the same keystore and there the update worked fine. What is striking IMO is the strange fingerprint of the old, existing APK, which in the above case has a second entry with "SHA1:" in it and for one of the other apps that failed the old fingerprint was listed as "[ ]", ie an empty one. In the meantime I also updated other apps and in most cases things worked fine. The only thing (I noticed), which the three apps where I have problems with have in common, is that these apps are quite old, with the first APK version dating from 2009 or even 2008. But the pro versions - where things work fine - were introduced later.

There is a similar question Upload failed for newer version apk on google play , but the browser cache solution does not work and I am also quite confident that I used the right key.

Anyone have an idea what might be the solution here? I am starting to think that perhaps for some older apps the fingerprints were incorrectly extracted from the APKs on Google's side (hence the one empty and the other IMO a bit strange fingerprints for old versions). But typically problems originate from between one's own ears...

Thanks

Answer 1

It's possible to sign an APK with more than one key. This was never really a well-supported behavior, and the order the keys will be processed is undefined. But if your early APK was signed with two keys, as the message suggests, then your update will need to be signed with all the same keys (possibly in the same order).

It looks like the first key is the same as the one you used, so you need to find the keystore for the second key. Maybe some part of your build process was re-signing the APK before uploading. A likely suspect might be your debug keystore in ~/.android .

Answer 2

I'm also experiencing this exact same issue. Nothing has changed, I'm still using the same keystore, and updated the app two weeks ago with no problems. Now it's saying that the signed app update has only one SHA1-hash fingerprint certificate, and the existing app in the store has two different SHA1-hash fingerprints, (and one of those is the same as the app update's). So it looks like it used to be signed with two certificates, but now only one. But nothing has changed in the export and signing process - it's done via eclipse export signed application as it always has been.

Perhaps it used to always sign with two, and one of them has been moved or deleted. That's my only theory at this point. Or perhaps something's expired in the Play developer console upload / signing check code in Google land.

Another detail our app shares with OP's app is that it was also first published in 2009.