How to change app signing key on Play Console?

Question

I want to replace the signing key generated by Google with mine, so I can update the app installed from Play Store by downloading standalone APK without issues.

I have to follow this step:

java -jar pepk.jar --keystore=foo.keystore --alias=foo --output=output.zip  --signing-keystore=uploadkey.keystore --signing-key-alias=upload-key-alias --encryptionkey=<enc_key>

but I don't understand it. -I already generated a.pepk file with Android Studio, but the platform requires a.zip file. Is there a way to convert it? -The keystore might be the.jks file I use to sign, but what is uploadkey? Is it the upload certificate (.der)?

Answer 1

To this day, Android Studio does not support the generation of the zip file unfortunately, you have to run the command given to you by the Play Console.

The pepk file generated by Android Studio is only useful for an app that has already been enrolled in Play Signing to handover the app signing key to Google. For new apps, the zip is required because you need to handover the certificate as well. Just run the pepk command from the Play Console and upload the zip file, and throw away the pepk file generated by Studio.

As for the difference between the upload key and the app signing key, there's a good table of definitions in the Play Signing documentation in the section "Descriptions of keys, artifacts and tools" :

App signing key

The key Google Play uses to sign the APKs that are delivered to a user's device. When you opt in to app signing by Google Play, you can either upload an existing app signing key or have Google generate one for you.

The app signing key can never be changed for the lifetime of your app. Keep your app signing key secret, but you can share your app's public certificate with others.

Upload key

The key you use to sign your app bundle or APK before you upload it on Google Play. Keep your upload key secret, but you can share your app's public certificate with others. For security reasons, it's a good idea to have app signing and upload keys that are different from each other.

There are two ways to generate an upload key:

• Use your app signing key: If you have Google generate an app signing key when you opt in to app signing, the key that you use for your first release is also your upload key.

• Use a separate upload key: If you provide your own app signing key when you opt in to app signing, you are given the option to generate a new upload key for increased security. If you don't generate one, use your app signing key as your upload key to sign releases.

Make sure you're clear on which key you want to change. It will also depend if you have already uploaded an APK/AAB to the Play Console or not. The upload key can easily be changed at any time by contacting the developer support while choosing the app signing key can only be done when creating the app before uploading the first artifact. After that, it will require something called "key upgrade" which can only be done once in the lifetime of the app (more details in the "Upgrade your app signing key for new installs" section of the same documentation page).