Opting in Existing Apps to Google Play App Signing
App Signing by Google Play has been around since 2017. With App Signing, Google manages your app signing keys and uses it to sign your APKs for distribution. Enrolling your app in App Signing is optional. You might have decided to handle the signing and storage of your keys instead of uploading them to Google Play.
Now, you have changed your mind and want Google to manage your signing keys instead of doing it personally. Or you want to try to reduce your app’s size and simplify the release process with Android App Bundle but you are required to use App Signing for it. So how can you opt-in your existing apps to App Signing?
Opting in to app signing by Google Play
Before enrolling your app to App Signing by Google Play, there are two things you need to know. First, there is no opt out so make sure that you are ready for it. Also, you won’t be able to download your app signing keys from Google Play so if you would need it in the future, store them somewhere safe.
To enroll your app in App Signing, you need to upload your app signing key to Google Play. Open your app in the Google Play Console and navigate to Release Management > App Signing (Release > Setup > App Signing in the New Google Play Console). Read and accept the Terms of Service.
There are three options to export and upload your app signing key: from Android Studio, from a Java keystore, and from your key (if you’re not using a Java keystore).
Export and upload a key from Android Studio
Using Android Studio is the easiest way to to export your app signing key. Open the Build menu, then click Build > Generate Signed Bundle / APK… In the Generate Signed Bundle or APK dialog, select Android App Bundle then click Next. Select Export encrypted key for enrolling published apps in Google Play App Signing, set the location where you want to export it, then click Next. Android Studio will generate the bundle and export the private_key.pepk in the directory you provided.
In the Google Play Console App Signing page, select “Export and upload a key from Android Studio” and upload the key Android Studio generated.
Export and upload a key from a Java Keystore
If you’re using a Java keystore to sign your apps, select the “Export and upload a key from a Java keystore” in the Google Play Console App Signing page. Download the Play Encrypt Private Key (PEPK) tool from the console and save it in your preferred location. Also, take note of the encryption key in the instructions.
The PEPK tool is a JAR file that allows you to export and encrypt your app signing key. For example, if you have the following:
* the PEPK tool in /Users/admin/Downloads
* app signing key signing-key.jks that has “release” as the alias, located in the same folder as the pepk.jar
* encrypted key from the Google Play console with the value encryptionkeyfromtheconsole
you can export the key to encryptedkey.pepk using the following command:
java -jar /Users/admin/Downloads/pepk.jar — keystore=signing-key.jks — alias=release — output=/Users/admin/Downloads/encryptedkey.pepk — encryptionkey=encryptionkeyfromtheconsole
The terminal will ask you for the keystore and key password. Once you input them, the command will generate the encryptedkey.pepk file in the /Users/admin/Downloads/ directory. In the Google Play Console App Signing page, select “Export and upload a key from Java keystore” and upload the encryptedkey.pepk file.
Export and upload a key (not using a Java keystore)
If your app signing key wasn’t made using a Java keystore, select the “Export and upload a key (not using a Java keystore)” option in the Google Play Console App Signing page. You can download the PEPK tool source code and use the hex encoded public key provided in the console to export your private key.
In the Google Play Console App Signing page, select “Export and upload a key (not using Java Keystore)” and upload the key you exported.
Creating an Upload Key
An upload key is the key you will use to sign your app bundle or APK before publishing it on Google Play. You can use the same signing key as the upload key so your process will be the same as what you were doing before. However, it is better to use a different upload key so the app signing key won’t be compromised.
To create an upload key for your app, you need to create a new signing key and upload its public certificate (in PEM format). You can create a new key in Android Studio. In the Build menu, click Build > Generate Signed Bundle / APK… In the Generate Signed Bundle or APK dialog, select either Android App Bundle or APK, then click Next. Click the Create new… button below the Key store path input text. Provide the information in the New Key Store dialog then click OK.
Let’s say your new upload key is upload-key.jks with “alias” as the alias, you can export its key to upload-cert.pem by running the following command:
keytool -export -rfc -keystore upload-key.jks -alias alias -file upload-cert.pem
The terminal will ask you for the keystore password. Once you provide it successfully, the command will generate the upload-cert.pem file. You can then upload this PEM file in the Google Play Console. Now, you must sign the next app updates with the upload-key.jks upload key.
What’s Next?
Once you have uploaded the app signing key (and created a new upload key), you can click the Finish button (Save in the New Google Play Console) to save the changes. You will see a notification that App Signing is now enabled for the app. You can now use Android App Bundle in publishing your next update.
The App Signing page will also display the certificates for the app signing key and upload key, along with their key signatures (MD5, SHA-1, SHA-256), which you will need to use for some APIs.
