Trace: » android15.html

[hemmerling] Google Android 13/14 - App Development IV

1 Key Generation

1.1 Key Generation with MIT App Inventor

Instructions

  • The free online service MIT "App Inventor".
  • Delete an existing keystore, built your app & by that, generate a new keystore.
    • MIT App Inventor”.
      • “Projects / Delete Keystore”.
      • Set new version number: “Projects / Project Properties / Publising” - “VersionCode”, “VersionName”.
    • “Build / Android App Bundle (.aab)”.
      • A file “conference_selfie.aab” is generated.
  • By this app building, “MIT App Inventor” created a new keystore.
    • MIT App Inventor”.
      • Export the new keystore: “MIT App Inventor” - “Projects / Export Keystore”, save as “hemmerling_mit.keystore”.

Equivalent "Keytool" Call

keytool -genkeypair -v -keystore hemmerling.keystore -alias androidkey -keyalg RSA -keysize 2048 -validity 10000 -dname "CN=hemmerling@gmx.net, O=AppInventor for Android, C=US" -storepass android -keypass android

Result

Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: androidkey
Creation date: 27.04.2025
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=hemmerling@gmx.net, O=AppInventor for Android, C=US
Issuer: CN=hemmerling@gmx.net, O=AppInventor for Android, C=US
Serial number: 33680388
Valid from: Sun Apr 27 07:12:57 CEST 2025 until: Thu Sep 12 07:12:57 CEST 2052
Certificate fingerprints:
         SHA1: 
         SHA256: 
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 
0010: 
]
]



*******************************************
*******************************************

1.2 Key Generation with Android Studio

Instructions

  • AndroidStudio BurgerMenu “Build” / “Generate Signed App Bundle or APK”.
    • Key store path “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Android Studio\hemmerling.keystore”.
      • Password “android”.
    • Key.
      • Alias ( alias name ): “androidkey”, ”key0
      • “Password: “android”.
      • “Validity (years)”: “25”.
      • “First and Last Name” ( CN ): “Rolf Hemmerling”.
      • “Organizational Unit” ( OU ): “http://hemmerling.com”.
      • “Organizsation” ( O ): “Dipl.-Ing.(FH) Hemmerling”.
      • “City or Loyalty” ( L ): “Bielefeld”.
      • “State or Province” ( ST ): “NRW”.
      • “Country Code (XX)” ( C ) : “DE”.
    • Destination Folder:
      • “E:\users\Public\archive\github\kotlin-htapp\HemmerlingTheApp\app”.
      • build” / “release”.
  • Output:
    • In folder: “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Android Studio”.
    • My file: “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Android Studio\hemmerling_as.keystore”.
  • Output:
    • In folder: ”E:\users\Public\archive\github\kotlin-htapp\HemmerlingTheApp\app\release”.
    • File: ”E:\users\Public\archive\github\kotlin-htapp\HemmerlingTheApp\app\release\app-release.aab”.

Equivalent "Keytool" Call

keytool -genkeypair -v -keystore hemmerling.keystore -alias androidkey -keyalg RSA -keysize 2048 -validity 9125 -dname "CN=Rolf Hemmerling, OU=http://hemmerling.com O=Dipl.-Ing.(FH) Hemmerling, C=DE" -storepass android -keypass android

Result

Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: androidkey
Creation date: 27.04.2025
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: C=DE, ST=NRW, L=Bielefeld, O=Dipl.-Ing.(FH) Hemmerling, OU=http://hemmerling.com, CN=Rolf Hemmerling
Issuer: C=DE, ST=NRW, L=Bielefeld, O=Dipl.-Ing.(FH) Hemmerling, OU=http://hemmerling.com, CN=Rolf Hemmerling
Serial number: 1
Valid from: Sun Apr 27 08:23:52 CEST 2025 until: Thu Apr 21 08:23:52 CEST 2050
Certificate fingerprints:
         SHA1: 
         SHA256: 
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 1


*******************************************
*******************************************

1.3 Key Generation with Keytool

Instructions

keytool -genkeypair -v -keystore hemmerling.keystore -alias androidkey -keyalg RSA -keysize 2048 -validity 9125 -dname "CN=Rolf Hemmerling, OU=http://hemmerling.com O=Dipl.-Ing.(FH) Hemmerling, C=DE" -storepass android -keypass android

Result

  • “keytool -list -v -keystore hemmerling.keystore -storepass android:
    Keystore type: PKCS12
    Keystore provider: SUN
    
    Your keystore contains 1 entry
    
    Alias name: androidkey
    Creation date: 27.04.2025
    Entry type: PrivateKeyEntry
    Certificate chain length: 1
    Certificate[1]:
    Owner: CN=Rolf Hemmerling, OU="http://hemmerling.com O=Dipl.-Ing.(FH) Hemmerling", C=DE
    Issuer: CN=Rolf Hemmerling, OU="http://hemmerling.com O=Dipl.-Ing.(FH) Hemmerling", C=DE
    Serial number: c2769f2c8c526070
    Valid from: Sun Apr 27 09:34:51 CEST 2025 until: Thu Apr 21 09:34:51 CEST 2050
    Certificate fingerprints:
             SHA1: C9:4D:E5:10:59:E4:9E:90:18:C7:CA:54:55:E4:50:A5:12:42:B4:1E
             SHA256: 19:1E:CE:75:F4:8D:41:B9:93:69:CA:28:41:B6:7D:3F:62:48:1B:C2:67:FD:FB:80:53:7A:8F:D5:11:57:A3:26
    Signature algorithm name: SHA384withRSA
    Subject Public Key Algorithm: 2048-bit RSA key
    Version: 3
    
    Extensions:
    
    #1: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: 
    0010: 
    ]
    ]
    
    
    
    *******************************************
    *******************************************
    

Some other Examples of Keytool Commands ( COMMAND.COM & Powershell Batch File )

@del hemmerling.keystore
keytool -genkeypair -v -keystore hemmerling.keystore -alias androidkey -keyalg RSA -keysize 2048 -validity 9125 -dname "CN=Rolf Hemmerling, OU=http://hemmerling.com O=Dipl.-Ing.(FH) Hemmerling, C=DE" -storepass android -keypass android
keytool -list -v -keystore hemmerling.keystore -storepass android
pause
keytool -storepasswd -keystore hemmerling.keystore -storepass android -new android2
pause
keytool -storepasswd -keystore hemmerling.keystore -storepass android2 -new android
@echo *********
@echo Attention: -keypasswd commands not supported if -storetype is PKCS12
@echo *********
pause
keytool -keypasswd -keystore hemmerling.keystore -storepass android -alias android -keypass android -new android2

2 PEPK - Play Encrypt Private Key

Download

    • Select a project.
      • “Dashboard” / “Test and release” / “Setup” / “App signing”.
        • “Download encryption public key”.
        • “Download PEPK tool”.

Instructions

java -jar pepk.jar --keystore=hemmerling_as.keystore --alias=androidkey  --keystore-pass android --key-pass android --output=hemmerling_as.zip --rsa-aes-encryption --encryption-key-path=encryption_public_key.pem

3 apksigner

File Location

  • In general: “C:\Users\username\AppData\Local\Android\Sdk\build-tools\sdk_version\apksigner.bat”.
  • On my system, as of 2025-04: “C:\Users\Administrator\AppData\Local\Android\Sdk\build-tools\36.0.0\apksigner.bat”.

Documentation

3 Upload to Google Developer Console

Google Play Developer Console

"Use existing app signing key from Java keystore" - Failure

  • “Google Play Console” - “Test and release / Setup / App signing” - “Let Google Play manage your app signing key”.
    • “Use existing app signing key from Java keystore”.
    • Execute
      java -jar pepk.jar --keystore=hemmerling_as.keystore --alias=androidkey --keystore-pass android --key-pass android --output=hemmerling_as.zip --rsa-aes-encryption --encryption-key-path=encryption_public_key.pem
    • “Upload private key” - Upload of “hemmerling_as.zip” was rejected by the error messages:
      • “The encryption key used has expired. Use a newly generated encryption key” :-(.
      • “The private key was not properly encrypted, or is not a type of key we support” :-(.
      • The private key doesn't match the current app certificate:-(.

"Use existing app signing key from another repository" - Failure

  • “Google Play Console” - “Test and release / Setup / App signing” - “Let Google Play manage your app signing key”.
    • “Use existing app signing key from Java keystore”.
    • Execute “java -jar pepk.jar –keystore=hemmerling_mit.keystore –alias=androidkey –output=hemmerling_mit.zip –rsa-aes-encryption –encryption-key-path=encryption_public_key.pem” ???????
      • “Enter password for store 'hemmerling_mit.keystore'”: “android”.
      • “Enter password for key 'androidkey'”: “android”.
    • “Upload private key” - Upload of “hemmerling_mit.zip” was rejected by the error message “The private key was not properly encrypted, or is not a type of key we support” :-(.

Error message “The encryption key used has expired. Use a newly generated encryption key”

Resources

Keytool

Keytool Help Screens

  • “Keytool -?”:
    Commands:
     -certreq            Generates a certificate request
     -changealias        Changes an entry's alias
     -delete             Deletes an entry
     -exportcert         Exports certificate
     -genkeypair         Generates a key pair
     -genseckey          Generates a secret key
     -gencert            Generates certificate from a certificate request
     -importcert         Imports a certificate or a certificate chain
     -importpass         Imports a password
     -importkeystore     Imports one or all entries from another keystore
     -keypasswd          Changes the key password of an entry
     -list               Lists entries in a keystore
     -printcert          Prints the content of a certificate
     -printcertreq       Prints the content of a certificate request
     -printcrl           Prints the content of a CRL file
     -storepasswd        Changes the store password of a keystore
     -showinfo           Displays security-related information
     -version            Prints the program version
    
    Use "keytool -?, -h, or --help" for this help message
    Use "keytool -command_name --help" for usage of command_name.
    Use the -conf <url> option to specify a pre-configured options file.
    
  • “Keytool -genkeypair -?”:
    keytool -genkeypair [OPTION]...
    
    Generates a key pair
    
    Options:
    
     -alias <alias>          alias name of the entry to process
     -keyalg <alg>           key algorithm name
     -keysize <size>         key bit size
     -groupname <name>       Group name. For example, an Elliptic Curve name.
     -sigalg <alg>           signature algorithm name
     -dname <name>           distinguished name
     -startdate <date>       certificate validity start date/time
     -ext <value>            X.509 extension
     -validity <days>        validity number of days
     -keypass <arg>          key password
     -keystore <keystore>    keystore name
     -signer <alias>         signer alias
     -signerkeypass <arg>    signer key password
     -storepass <arg>        keystore password
     -storetype <type>       keystore type
     -providername <name>    provider name
     -addprovider <name>     add security provider by name (e.g. SunPKCS11)
       [-providerarg <arg>]    configure argument for -addprovider
     -providerclass <class>  add security provider by fully-qualified class name
       [-providerarg <arg>]    configure argument for -providerclass
     -providerpath <list>    provider classpath
     -v                      verbose output
     -protected              password through protected mechanism
    

Documentation

Locations in Filesystem

  • Android Studio, e.g. Keytool version “21.0.5” ⇒ “C:\Program Files\Android\Android Studio\jbr\bin\keytool.exe”.
  • JDK 24, e.g. Keytool version “24.0.1” ⇒ “C:\Program Files\Java\jdk\bin\keytool.exe”.

Resources

  • “Keytool -genkey” is a short for “Keytool -genkeypair”.
  • Key password for your key ( with keyname “alias” ) = “keypass”.
  • Distinguish name parameters in uppercase letters, please!
    • In lowercase letters, '-dname “cn=Common Name, ou=Organisational Unit o=Organisation, c=DE” results in “Owner: CN=Common Name, OU=Organisational Unit o=Organisation, C=DE”.
  • Typical file extions for keystores are ”.jks”, ”.key”, ”.keystore”.
    • However the website “MIT App Inventor” just accepts keystores with file extension ”.keystore”.
    • With “MIT App Inventor” , if you try to load a keystore with file extension ”.jks” ( which is loaded properly if named with the file extension ”.keystore” ), refuses by the error message “The selected file is not a keystore!” :-(.
  • Changing the password of a key is rejected by the error message “keytool error: java.lang.UnsupportedOperationException: -keypasswd commands not supported if -storetype is PKCS12”.
    • Changing Keystore's password or alias password doesn't affect the way it is used to generate the signed apk.
    • The usage of keytool might have changed in the past years. What worked for me was:
      • To change the password of an alias inside a store:
        keytool -keypasswd -keystore pathToKeystoreFile -alias yourAlias -keypass oldAliasPassword -storepass oldStorePassword -new newAliasPassword
        
      • To change the password of your keystore file:
        keytool -storepasswd -keystore pathToKeystoreFile -storepass oldStorePassword -new newStorePassword
        
    • You should not include your password in the command because it'll be written to your command history (~/.bash_history).
      # Change the key password 
      keytool -keypasswd -alias "your_key_alias" -keystore "key_filename.key"
      # Change the keystore password
      keytool -storepasswd -keystore "key_filename.key"
      
    • ”-validity 9125” = 25 years.
    • ”-validity 10000” ( MIT App Inventor ).
    • ”-validity 10950” - 30 years.

PEPK

PEPK Help Screen

USAGE:
       java -jar pepk.jar
         --keystore <release_keystore>
         --alias <key_alias>
         --output=<output_file>
         (--rsa-aes-encryption --encryption-key-path=</path/to/encryption_public_key.pem> | --encryptionkey=<encryption_key_hex>)
         [--signing-keystore <keystore> [--signing-key-alias=<alias>]]
         [--include-cert]

pepk (Play Encrypt Private Key) is a tool for exporting private keys from a
Java Keystore and encrypting them for transfer to Google Play as part of
enrolling in App Signing by Google Play.


        REQUIRED FLAGS

--keystore            Path to the keystore containing the private key to export.

--alias               Alias of the private key in the keystore.

--output              File in which to output the encrypted private key.

        OPTIONAL FLAGS

--keystore-pass       Password for the keystore. If not set, will be prompted on
                      the command line.

--key-pass            Password for the key inside the keystore. If not set, the
                      same password as the keystore will be used, or if none was
                      set, it will be prompted on the command line.

--signing-keystore    Path to the keystore containing the private key that will
                      be used for signing the exported encrypted private key.

--signing-key-alias   Alias of the private key used for signing in the
                      signing Keystore. Must be specified if --signing-keystore
                      flag is set.

--rsa-aes-encryption  Use RSA AES Key Wrap encryption for encrypting the
                      private key.

--encryption-key-path Path to the PEM-encoded public key to be used for
                      encrypting the private key. Must be specified if
                      --rsa-aes-encryption is set.

--encryptionkey       Public key to encrypt the private key with. This will be
                      the hex encoded bytes of the public key. The public key
                      is a 4-byte identity followed by a 64-byte P256 point.
                      Must be specified if --rsa-aes-encryption is not set.

--include-cert        Include the public certificate to be exported along with
                      the encrypted private key.

        OTHER OPTIONS

--help                Show this usage page and exit.

--license             Show the license for the tool and exit.

Documentation

 
en/android15.html.txt · Last modified: 2025/05/17 13:13 (external edit) · []
Recent changes RSS feed Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki