====== [hemmerling] Google Android 13/14 - App Development IV ====== Related pages: *Google Android: *[[android.html|Android 1/15]]. *[[android02.html|Android 2/15 - Apps]]. *[[android03.html|Android 3/15 - App Development I]]. *[[android04.html|Android 4/15 - App Debugging & Testing]]. *[[android05.html|Android 5/15 - Simulators, Skins, Operating Systems, System Images]]. *[[android06.html|Android 6/15 - App Protoyping]]. *[[android07.html|Android 7/15 - App Publishing]]. *[[android08.html|Android 8/15 - Hardware]]. *[[android09.html|Android 9/15 - Amazon Fire TV]]. *[[android10.html|Android 10/15 - TV compatible Apps ( for Android TV, Google TV, Amazon Fire TV]]. *[[android11.html|Android 11/15 - Browsers & Internet Apps ( for Android TV, Google TV, Amazon Fire TV )]]. *[[android12.html|Android 12/15 - Google Android, Suggestions for Smartphone Apps to be installed on any Android Smartphone]]. *[[android13.html|Android 13/15 - App Development II]]. *[[android14.html|Android 14/15 - App Development III]]. ===== 1 Key Generation ===== ==== 1.1 Key Generation with MIT App Inventor ==== === Instructions === *The free online service [[http://ai2.appinventor.mit.edu/|MIT "App Inventor"]]. *Delete an existing keystore, built your app & by that, generate a new keystore. *"MIT App Inventor". *"Projects / Delete Keystore". *Set new version number: "Projects / Project Properties / Publising" - "VersionCode", "VersionName". *"Build / Android App Bundle (.aab)". *A file "conference_selfie.aab" is generated. *By this app building, "MIT App Inventor" created a new keystore. *"MIT App Inventor". *Export the new keystore: "MIT App Inventor" - "Projects / Export Keystore", save as "**hemmerling_mit.keystore**". === Equivalent "Keytool" Call ===


keytool -genkeypair -v -keystore hemmerling.keystore -alias androidkey -keyalg RSA -keysize 2048 -validity 10000 -dname "CN=hemmerling@gmx.net, O=AppInventor for Android, C=US" -storepass android -keypass android

=== Result ===


Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: androidkey
Creation date: 27.04.2025
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=hemmerling@gmx.net, O=AppInventor for Android, C=US
Issuer: CN=hemmerling@gmx.net, O=AppInventor for Android, C=US
Serial number: 33680388
Valid from: Sun Apr 27 07:12:57 CEST 2025 until: Thu Sep 12 07:12:57 CEST 2052
Certificate fingerprints:
         SHA1: 
         SHA256: 
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 
0010: 
]
]



*******************************************
*******************************************

==== 1.2 Key Generation with Android Studio ==== === Instructions === *AndroidStudio BurgerMenu "Build" / "Generate Signed App Bundle or APK". *Key store path "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Android Studio\hemmerling.keystore". *Password "android". *Key. *Alias ( alias name ): "androidkey", "~~key0~~" *"Password: "android". *"Validity (years)": "25". *"First and Last Name" ( CN ): "Rolf Hemmerling". *"Organizational Unit" ( OU ): "http://hemmerling.com". *"Organizsation" ( O ): "Dipl.-Ing.(FH) Hemmerling". *"City or Loyalty" ( L ): "Bielefeld". *"State or Province" ( ST ): "NRW". *"Country Code (XX)" ( C ) : "DE". *Destination Folder: *"E:\users\Public\archive\github\kotlin-htapp\HemmerlingTheApp\app". *"~~build~~" / "release". *Output: *In folder: "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Android Studio". *My file: "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Android Studio\hemmerling_as.keystore". *~~Output~~: *In folder: "~~E:\users\Public\archive\github\kotlin-htapp\HemmerlingTheApp\app\release~~". *File: "~~E:\users\Public\archive\github\kotlin-htapp\HemmerlingTheApp\app\release\app-release.aab~~". === Equivalent "Keytool" Call ===


keytool -genkeypair -v -keystore hemmerling.keystore -alias androidkey -keyalg RSA -keysize 2048 -validity 9125 -dname "CN=Rolf Hemmerling, OU=http://hemmerling.com O=Dipl.-Ing.(FH) Hemmerling, C=DE" -storepass android -keypass android

=== Result ===


Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: androidkey
Creation date: 27.04.2025
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: C=DE, ST=NRW, L=Bielefeld, O=Dipl.-Ing.(FH) Hemmerling, OU=http://hemmerling.com, CN=Rolf Hemmerling
Issuer: C=DE, ST=NRW, L=Bielefeld, O=Dipl.-Ing.(FH) Hemmerling, OU=http://hemmerling.com, CN=Rolf Hemmerling
Serial number: 1
Valid from: Sun Apr 27 08:23:52 CEST 2025 until: Thu Apr 21 08:23:52 CEST 2050
Certificate fingerprints:
         SHA1: 
         SHA256: 
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 1


*******************************************
*******************************************

==== 1.3 Key Generation with Keytool ==== === Instructions ===


keytool -genkeypair -v -keystore hemmerling.keystore -alias androidkey -keyalg RSA -keysize 2048 -validity 9125 -dname "CN=Rolf Hemmerling, OU=http://hemmerling.com O=Dipl.-Ing.(FH) Hemmerling, C=DE" -storepass android -keypass android

=== Result === *"keytool -list -v -keystore hemmerling.keystore -storepass android:


Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: androidkey
Creation date: 27.04.2025
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Rolf Hemmerling, OU="http://hemmerling.com O=Dipl.-Ing.(FH) Hemmerling", C=DE
Issuer: CN=Rolf Hemmerling, OU="http://hemmerling.com O=Dipl.-Ing.(FH) Hemmerling", C=DE
Serial number: c2769f2c8c526070
Valid from: Sun Apr 27 09:34:51 CEST 2025 until: Thu Apr 21 09:34:51 CEST 2050
Certificate fingerprints:
         SHA1: C9:4D:E5:10:59:E4:9E:90:18:C7:CA:54:55:E4:50:A5:12:42:B4:1E
         SHA256: 19:1E:CE:75:F4:8D:41:B9:93:69:CA:28:41:B6:7D:3F:62:48:1B:C2:67:FD:FB:80:53:7A:8F:D5:11:57:A3:26
Signature algorithm name: SHA384withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 
0010: 
]
]



*******************************************
*******************************************

=== Some other Examples of Keytool Commands ( COMMAND.COM & Powershell Batch File ) ===


@del hemmerling.keystore
keytool -genkeypair -v -keystore hemmerling.keystore -alias androidkey -keyalg RSA -keysize 2048 -validity 9125 -dname "CN=Rolf Hemmerling, OU=http://hemmerling.com O=Dipl.-Ing.(FH) Hemmerling, C=DE" -storepass android -keypass android
keytool -list -v -keystore hemmerling.keystore -storepass android
pause
keytool -storepasswd -keystore hemmerling.keystore -storepass android -new android2
pause
keytool -storepasswd -keystore hemmerling.keystore -storepass android2 -new android
@echo *********
@echo Attention: -keypasswd commands not supported if -storetype is PKCS12
@echo *********
pause
keytool -keypasswd -keystore hemmerling.keystore -storepass android -alias android -keypass android -new android2

===== 2 PEPK - Play Encrypt Private Key ===== === Download === *[[http://play.google.com/console/|Google Play Developer Console]]. *Select a project. *"Dashboard" / "Test and release" / "Setup" / "App signing". *"Download encryption public key". *"Download PEPK tool". === Instructions ===


java -jar pepk.jar --keystore=hemmerling_as.keystore --alias=androidkey  --keystore-pass android --key-pass android --output=hemmerling_as.zip --rsa-aes-encryption --encryption-key-path=encryption_public_key.pem

===== 3 apksigner ===== === File Location === *In general: "C:\Users\**username**\AppData\Local\Android\Sdk\build-tools\**sdk_version**\apksigner.bat". *On my system, as of 2025-04: "C:\Users\Administrator\AppData\Local\Android\Sdk\build-tools\36.0.0\apksigner.bat". === Documentation === *[[http://www.stackoverflow.com/questions/25176594/android-sdk-location|StackOverflow "Android SDK location"]] - On Windows, "C:\Users\**username**\AppData\Local\Android\Sdk". *[[http://developer.android.com/tools|Android Developers "Command-line tools"]] - "You can install and update each package using Android Studio's SDK Manager. In Android Studio, click File > Project Structure. Select SDK Location in the left pane. The path is shown under Android SDK location". *[[http://developer.android.com/tools/apksigner|Android Developers "apksigner"]]. ===== 3 Upload to Google Developer Console ==== ==== Google Play Developer Console ==== *[[http://play.google.com/console/|Google Play Developer Console]]. ==== "Use existing app signing key from Java keystore" - Failure ==== *"Google Play Console" - "Test and release / Setup / App signing" - "Let Google Play manage your app signing key". *"Use existing app signing key from Java keystore". *"Download encryption key". *"Download PEPK tool. *JAR binary "pepk.jar". *[[http://www.gstatic.com/play-apps-publisher-rapid/signing-tool/prod/pepk-src.jar|Google Play "pepk-src.jar"]]. *Execute


java -jar pepk.jar --keystore=hemmerling_as.keystore --alias=androidkey --keystore-pass android --key-pass android --output=hemmerling_as.zip --rsa-aes-encryption --encryption-key-path=encryption_public_key.pem

*"Upload private key" - Upload of "hemmerling_as.zip" was rejected by the error messages: *"The encryption key used has expired. Use a newly generated encryption key" :-(. *"The private key was not properly encrypted, or is not a type of key we support" :-(. *"~~The private key doesn't match the current app certificate~~" :-(. ==== "Use existing app signing key from another repository" - Failure ==== *"Google Play Console" - "Test and release / Setup / App signing" - "Let Google Play manage your app signing key". *"Use existing app signing key from Java keystore". *"Download PEPK tool. *JAR binary "pepk.jar". *[[http://www.gstatic.com/play-apps-publisher-rapid/signing-tool/prod/pepk-src.jar|Google Play "pepk-src.jar"]]. *Execute "java -jar pepk.jar --keystore=**hemmerling_mit.keystore** --alias=**androidkey** --output=hemmerling_mit.zip --rsa-aes-encryption --encryption-key-path=encryption_public_key.pem" ??????? *"Enter password for store 'hemmerling_mit.keystore'": "**android**". *"Enter password for key 'androidkey'": "**android**". *"Upload private key" - Upload of "hemmerling_mit.zip" was rejected by the error message "The private key was not properly encrypted, or is not a type of key we support" :-(. Error message "The encryption key used has expired. Use a newly generated encryption key" ===== Resources ===== ==== Keytool ===== === Keytool Help Screens === *"Keytool -?":


Commands:
 -certreq            Generates a certificate request
 -changealias        Changes an entry's alias
 -delete             Deletes an entry
 -exportcert         Exports certificate
 -genkeypair         Generates a key pair
 -genseckey          Generates a secret key
 -gencert            Generates certificate from a certificate request
 -importcert         Imports a certificate or a certificate chain
 -importpass         Imports a password
 -importkeystore     Imports one or all entries from another keystore
 -keypasswd          Changes the key password of an entry
 -list               Lists entries in a keystore
 -printcert          Prints the content of a certificate
 -printcertreq       Prints the content of a certificate request
 -printcrl           Prints the content of a CRL file
 -storepasswd        Changes the store password of a keystore
 -showinfo           Displays security-related information
 -version            Prints the program version

Use "keytool -?, -h, or --help" for this help message
Use "keytool -command_name --help" for usage of command_name.
Use the -conf  option to specify a pre-configured options file.

*"Keytool -genkeypair -?":


keytool -genkeypair [OPTION]...

Generates a key pair

Options:

 -alias           alias name of the entry to process
 -keyalg            key algorithm name
 -keysize          key bit size
 -groupname        Group name. For example, an Elliptic Curve name.
 -sigalg            signature algorithm name
 -dname            distinguished name
 -startdate        certificate validity start date/time
 -ext             X.509 extension
 -validity         validity number of days
 -keypass           key password
 -keystore     keystore name
 -signer          signer alias
 -signerkeypass     signer key password
 -storepass         keystore password
 -storetype        keystore type
 -providername     provider name
 -addprovider      add security provider by name (e.g. SunPKCS11)
   [-providerarg ]    configure argument for -addprovider
 -providerclass   add security provider by fully-qualified class name
   [-providerarg ]    configure argument for -providerclass
 -providerpath     provider classpath
 -v                      verbose output
 -protected              password through protected mechanism

=== Documentation === *[[http://www.ibm.com/docs/en/sdk-java-technology|IBM "IBM SDK, Java Technology Edition documentation"]]. *[[http://www.ibm.com/docs/en/sdk-java-technology/8?topic=keytool-key-certificate-management-tool|IBM "keytool - Key and Certificate Management Tool"]]. *[[http://www.ibm.com/docs/en/sdk-java-technology/8?topic=guide-keytool|IBM "Keytool"]]. *[[http://www.ibm.com/docs/en/sdk-java-technology/8?topic=warnings-keystore|IBM "KeyStore"]]. *[[http://www.ibm.com/docs/en/sdk-java-technology/8?topic=warnings-certificate|IBM "Certificate"]]. *[[http://docs.oracle.com/en/java/javase/24/docs/specs/man/keytool.html|Oracle Docs, JavaSE24 "The keytool Command"]] - Complete tool manual. *"keytool -genkeypair -dname "cn=myname, ou=mygroup, o=mycompany, c=mycountry" -alias business -keyalg rsa -keypass password -keystore /working/mykeystore -storepass password -validity 180". *"A two-letter country code of mycountry". *[[http://en.wikipedia.org/wiki/X.509|EN.Wikipedia "X.509"]]. *[[http://en.wikipedia.org/wiki/Certificate_signing_request|EN.Wikipedia "Certificate signing request"]] - "C Country The two-letter ISO code for the country where your organization is located". *[[http://en.wikipedia.org/wiki/ISO_3166-1_alpha-2|EN.Wikipedia "ISO 3166-1 alpha-2"]] - "DE Germany". *[[http://en.wikipedia.org/wiki/Organizational_unit|EN.Wikipedia "Organizational unit"]]. === Locations in Filesystem == *Android Studio, e.g. Keytool version "21.0.5" => "C:\Program Files\Android\Android Studio\jbr\bin\keytool.exe". *JDK 24, e.g. Keytool version "24.0.1" => "C:\Program Files\Java\jdk\bin\keytool.exe". === Resources === *"Keytool -genkey" is a short for "Keytool -genkeypair". *Key password for your key ( with keyname "alias" ) = "keypass". *Distinguish name parameters in uppercase letters, please! *In lowercase letters, '-dname "**cn**=Common Name, **ou**=Organisational Unit **o=**Organisation, **c**=DE" results in "Owner: **CN**=Common Name, **OU**=Organisational Unit **o=**Organisation, **C**=DE". *Typical file extions for keystores are ".jks", ".key", ".keystore". *However the website "MIT App Inventor" just accepts keystores with file extension ".keystore". *With "MIT App Inventor" , if you try to load a keystore with file extension ".jks" ( which is loaded properly if named with the file extension ".keystore" ), refuses by the error message "The selected file is not a keystore!" :-(. *Changing the password of a key is rejected by the error message "keytool error: java.lang.UnsupportedOperationException: -keypasswd commands not supported if -storetype is PKCS12". *[[http://knowledge.digicert.com/quovadis/ssl-certificates/ssl-general-topics/common-java-keytool-commands|Digicert "Common Java Keytool Commands"]]. *[[http://gregorycernera.medium.com/introduction-to-the-java-keytool-command-13e129e4d7df|Medium, Gregory Cernera "Introduction to the Java keytool command"]]. *[[http://www.stackoverflow.com/questions/28343581/android-keystore-password-change|StackOverflow "Android keystore password change"]]. *Changing Keystore's password or alias password doesn't affect the way it is used to generate the signed apk. *The usage of keytool might have changed in the past years. What worked for me was: *To change the password of an alias inside a store:


keytool -keypasswd -keystore pathToKeystoreFile -alias yourAlias -keypass oldAliasPassword -storepass oldStorePassword -new newAliasPassword

*To change the password of your keystore file:


keytool -storepasswd -keystore pathToKeystoreFile -storepass oldStorePassword -new newStorePassword

*You should not include your password in the command because it'll be written to your command history (~/.bash_history).


# Change the key password 
keytool -keypasswd -alias "your_key_alias" -keystore "key_filename.key"
# Change the keystore password
keytool -storepasswd -keystore "key_filename.key"

*[[http://www.stackoverflow.com/questions/67254222/how-long-is-validity-of-app-signing-key-when-i-let-google-create-and-manage-my|StackOverflow "How long is validity of app signing key when I 'Let Google create and manage my app signing key'?"]] - "Certificates created by Google have a validity of 30 years". *"-validity 9125" = 25 years. *"-validity 10000" ( MIT App Inventor ). *"-validity 10950" - 30 years. ==== PEPK ===== === PEPK Help Screen ===


USAGE:
       java -jar pepk.jar
         --keystore 
         --alias 
         --output=
         (--rsa-aes-encryption --encryption-key-path= | --encryptionkey=)
         [--signing-keystore  [--signing-key-alias=]]
         [--include-cert]

pepk (Play Encrypt Private Key) is a tool for exporting private keys from a
Java Keystore and encrypting them for transfer to Google Play as part of
enrolling in App Signing by Google Play.


        REQUIRED FLAGS

--keystore            Path to the keystore containing the private key to export.

--alias               Alias of the private key in the keystore.

--output              File in which to output the encrypted private key.

        OPTIONAL FLAGS

--keystore-pass       Password for the keystore. If not set, will be prompted on
                      the command line.

--key-pass            Password for the key inside the keystore. If not set, the
                      same password as the keystore will be used, or if none was
                      set, it will be prompted on the command line.

--signing-keystore    Path to the keystore containing the private key that will
                      be used for signing the exported encrypted private key.

--signing-key-alias   Alias of the private key used for signing in the
                      signing Keystore. Must be specified if --signing-keystore
                      flag is set.

--rsa-aes-encryption  Use RSA AES Key Wrap encryption for encrypting the
                      private key.

--encryption-key-path Path to the PEM-encoded public key to be used for
                      encrypting the private key. Must be specified if
                      --rsa-aes-encryption is set.

--encryptionkey       Public key to encrypt the private key with. This will be
                      the hex encoded bytes of the public key. The public key
                      is a 4-byte identity followed by a 64-byte P256 point.
                      Must be specified if --rsa-aes-encryption is not set.

--include-cert        Include the public certificate to be exported along with
                      the encrypted private key.

        OTHER OPTIONS

--help                Show this usage page and exit.

--license             Show the license for the tool and exit.

=== Documentation === *[[http://www.github.com/yongjhih/pepk/blob/master/README.md|Github "yongjhih / pepk / README.md"]] - "PEPK - Play Encrypt Private Key". {{tag>"Google Android" Android}}