Table of Contents
[hemmerling] Google Android 13/14 - App Development IV
Related pages:
- Google Android:
1 Key Generation
1.1 Key Generation with MIT App Inventor
Instructions
- The free online service MIT "App Inventor".
- Delete an existing keystore, built your app & by that, generate a new keystore.
- “MIT App Inventor”.
- “Projects / Delete Keystore”.
- Set new version number: “Projects / Project Properties / Publising” - “VersionCode”, “VersionName”.
- “Build / Android App Bundle (.aab)”.
- A file “conference_selfie.aab” is generated.
- By this app building, “MIT App Inventor” created a new keystore.
- “MIT App Inventor”.
- Export the new keystore: “MIT App Inventor” - “Projects / Export Keystore”, save as “hemmerling_mit.keystore”.
Equivalent "Keytool" Call
keytool -genkeypair -v -keystore hemmerling.keystore -alias androidkey -keyalg RSA -keysize 2048 -validity 10000 -dname "CN=hemmerling@gmx.net, O=AppInventor for Android, C=US" -storepass android -keypass android
Result
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: androidkey
Creation date: 27.04.2025
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=hemmerling@gmx.net, O=AppInventor for Android, C=US
Issuer: CN=hemmerling@gmx.net, O=AppInventor for Android, C=US
Serial number: 33680388
Valid from: Sun Apr 27 07:12:57 CEST 2025 until: Thu Sep 12 07:12:57 CEST 2052
Certificate fingerprints:
SHA1:
SHA256:
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000:
0010:
]
]
*******************************************
*******************************************
1.2 Key Generation with Android Studio
Instructions
- AndroidStudio BurgerMenu “Build” / “Generate Signed App Bundle or APK”.
- Key store path “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Android Studio\hemmerling.keystore”.
- Password “android”.
- Key.
- Alias ( alias name ): “androidkey”, ”
key0” - “Password: “android”.
- “Validity (years)”: “25”.
- “First and Last Name” ( CN ): “Rolf Hemmerling”.
- “Organizational Unit” ( OU ): “http://hemmerling.com”.
- “Organizsation” ( O ): “Dipl.-Ing.(FH) Hemmerling”.
- “City or Loyalty” ( L ): “Bielefeld”.
- “State or Province” ( ST ): “NRW”.
- “Country Code (XX)” ( C ) : “DE”.
- Destination Folder:
- “E:\users\Public\archive\github\kotlin-htapp\HemmerlingTheApp\app”.
- ”
build” / “release”.
- Output:
- In folder: “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Android Studio”.
- My file: “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Android Studio\hemmerling_as.keystore”.
Output:- In folder: ”
E:\users\Public\archive\github\kotlin-htapp\HemmerlingTheApp\app\release”. - File: ”
E:\users\Public\archive\github\kotlin-htapp\HemmerlingTheApp\app\release\app-release.aab”.
Equivalent "Keytool" Call
keytool -genkeypair -v -keystore hemmerling.keystore -alias androidkey -keyalg RSA -keysize 2048 -validity 9125 -dname "CN=Rolf Hemmerling, OU=http://hemmerling.com O=Dipl.-Ing.(FH) Hemmerling, C=DE" -storepass android -keypass android
Result
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: androidkey
Creation date: 27.04.2025
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: C=DE, ST=NRW, L=Bielefeld, O=Dipl.-Ing.(FH) Hemmerling, OU=http://hemmerling.com, CN=Rolf Hemmerling
Issuer: C=DE, ST=NRW, L=Bielefeld, O=Dipl.-Ing.(FH) Hemmerling, OU=http://hemmerling.com, CN=Rolf Hemmerling
Serial number: 1
Valid from: Sun Apr 27 08:23:52 CEST 2025 until: Thu Apr 21 08:23:52 CEST 2050
Certificate fingerprints:
SHA1:
SHA256:
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 1
*******************************************
*******************************************
1.3 Key Generation with Keytool
Instructions
keytool -genkeypair -v -keystore hemmerling.keystore -alias androidkey -keyalg RSA -keysize 2048 -validity 9125 -dname "CN=Rolf Hemmerling, OU=http://hemmerling.com O=Dipl.-Ing.(FH) Hemmerling, C=DE" -storepass android -keypass android
Result
- “keytool -list -v -keystore hemmerling.keystore -storepass android:
Keystore type: PKCS12 Keystore provider: SUN Your keystore contains 1 entry Alias name: androidkey Creation date: 27.04.2025 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=Rolf Hemmerling, OU="http://hemmerling.com O=Dipl.-Ing.(FH) Hemmerling", C=DE Issuer: CN=Rolf Hemmerling, OU="http://hemmerling.com O=Dipl.-Ing.(FH) Hemmerling", C=DE Serial number: c2769f2c8c526070 Valid from: Sun Apr 27 09:34:51 CEST 2025 until: Thu Apr 21 09:34:51 CEST 2050 Certificate fingerprints: SHA1: C9:4D:E5:10:59:E4:9E:90:18:C7:CA:54:55:E4:50:A5:12:42:B4:1E SHA256: 19:1E:CE:75:F4:8D:41:B9:93:69:CA:28:41:B6:7D:3F:62:48:1B:C2:67:FD:FB:80:53:7A:8F:D5:11:57:A3:26 Signature algorithm name: SHA384withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3 Extensions: #1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 0010: ] ] ******************************************* *******************************************
Some other Examples of Keytool Commands ( COMMAND.COM & Powershell Batch File )
@del hemmerling.keystore keytool -genkeypair -v -keystore hemmerling.keystore -alias androidkey -keyalg RSA -keysize 2048 -validity 9125 -dname "CN=Rolf Hemmerling, OU=http://hemmerling.com O=Dipl.-Ing.(FH) Hemmerling, C=DE" -storepass android -keypass android keytool -list -v -keystore hemmerling.keystore -storepass android pause keytool -storepasswd -keystore hemmerling.keystore -storepass android -new android2 pause keytool -storepasswd -keystore hemmerling.keystore -storepass android2 -new android @echo ********* @echo Attention: -keypasswd commands not supported if -storetype is PKCS12 @echo ********* pause keytool -keypasswd -keystore hemmerling.keystore -storepass android -alias android -keypass android -new android2
2 PEPK - Play Encrypt Private Key
Download
-
- Select a project.
- “Dashboard” / “Test and release” / “Setup” / “App signing”.
- “Download encryption public key”.
- “Download PEPK tool”.
Instructions
java -jar pepk.jar --keystore=hemmerling_as.keystore --alias=androidkey --keystore-pass android --key-pass android --output=hemmerling_as.zip --rsa-aes-encryption --encryption-key-path=encryption_public_key.pem
3 apksigner
File Location
- In general: “C:\Users\username\AppData\Local\Android\Sdk\build-tools\sdk_version\apksigner.bat”.
- On my system, as of 2025-04: “C:\Users\Administrator\AppData\Local\Android\Sdk\build-tools\36.0.0\apksigner.bat”.
Documentation
- StackOverflow "Android SDK location" - On Windows, “C:\Users\username\AppData\Local\Android\Sdk”.
- Android Developers "Command-line tools" - “You can install and update each package using Android Studio's SDK Manager. In Android Studio, click File > Project Structure. Select SDK Location in the left pane. The path is shown under Android SDK location”.
3 Upload to Google Developer Console
Google Play Developer Console
"Use existing app signing key from Java keystore" - Failure
- “Google Play Console” - “Test and release / Setup / App signing” - “Let Google Play manage your app signing key”.
- “Use existing app signing key from Java keystore”.
- “Download encryption key”.
- “Download PEPK tool.
- JAR binary “pepk.jar”.
- Execute
java -jar pepk.jar --keystore=hemmerling_as.keystore --alias=androidkey --keystore-pass android --key-pass android --output=hemmerling_as.zip --rsa-aes-encryption --encryption-key-path=encryption_public_key.pem
- “Upload private key” - Upload of “hemmerling_as.zip” was rejected by the error messages:
- “The encryption key used has expired. Use a newly generated encryption key”
. - “The private key was not properly encrypted, or is not a type of key we support”.
- ”
The private key doesn't match the current app certificate”.
"Use existing app signing key from another repository" - Failure
- “Google Play Console” - “Test and release / Setup / App signing” - “Let Google Play manage your app signing key”.
- “Use existing app signing key from Java keystore”.
- “Download PEPK tool.
- JAR binary “pepk.jar”.
- Execute “java -jar pepk.jar –keystore=hemmerling_mit.keystore –alias=androidkey –output=hemmerling_mit.zip –rsa-aes-encryption –encryption-key-path=encryption_public_key.pem” ???????
- “Enter password for store 'hemmerling_mit.keystore'”: “android”.
- “Enter password for key 'androidkey'”: “android”.
- “Upload private key” - Upload of “hemmerling_mit.zip” was rejected by the error message “The private key was not properly encrypted, or is not a type of key we support”.
Error message “The encryption key used has expired. Use a newly generated encryption key”
Resources
Keytool
Keytool Help Screens
- “Keytool -?”:
Commands: -certreq Generates a certificate request -changealias Changes an entry's alias -delete Deletes an entry -exportcert Exports certificate -genkeypair Generates a key pair -genseckey Generates a secret key -gencert Generates certificate from a certificate request -importcert Imports a certificate or a certificate chain -importpass Imports a password -importkeystore Imports one or all entries from another keystore -keypasswd Changes the key password of an entry -list Lists entries in a keystore -printcert Prints the content of a certificate -printcertreq Prints the content of a certificate request -printcrl Prints the content of a CRL file -storepasswd Changes the store password of a keystore -showinfo Displays security-related information -version Prints the program version Use "keytool -?, -h, or --help" for this help message Use "keytool -command_name --help" for usage of command_name. Use the -conf <url> option to specify a pre-configured options file.
- “Keytool -genkeypair -?”:
keytool -genkeypair [OPTION]... Generates a key pair Options: -alias <alias> alias name of the entry to process -keyalg <alg> key algorithm name -keysize <size> key bit size -groupname <name> Group name. For example, an Elliptic Curve name. -sigalg <alg> signature algorithm name -dname <name> distinguished name -startdate <date> certificate validity start date/time -ext <value> X.509 extension -validity <days> validity number of days -keypass <arg> key password -keystore <keystore> keystore name -signer <alias> signer alias -signerkeypass <arg> signer key password -storepass <arg> keystore password -storetype <type> keystore type -providername <name> provider name -addprovider <name> add security provider by name (e.g. SunPKCS11) [-providerarg <arg>] configure argument for -addprovider -providerclass <class> add security provider by fully-qualified class name [-providerarg <arg>] configure argument for -providerclass -providerpath <list> provider classpath -v verbose output -protected password through protected mechanism
Documentation
-
- Oracle Docs, JavaSE24 "The keytool Command" - Complete tool manual.
- “keytool -genkeypair -dname “cn=myname, ou=mygroup, o=mycompany, c=mycountry” -alias business -keyalg rsa -keypass password -keystore /working/mykeystore -storepass password -validity 180”.
- “A two-letter country code of mycountry”.
-
- EN.Wikipedia "Certificate signing request" - “C Country The two-letter ISO code for the country where your organization is located”.
- EN.Wikipedia "ISO 3166-1 alpha-2" - “DE Germany”.
Locations in Filesystem
- Android Studio, e.g. Keytool version “21.0.5” ⇒ “C:\Program Files\Android\Android Studio\jbr\bin\keytool.exe”.
- JDK 24, e.g. Keytool version “24.0.1” ⇒ “C:\Program Files\Java\jdk\bin\keytool.exe”.
Resources
- “Keytool -genkey” is a short for “Keytool -genkeypair”.
- Key password for your key ( with keyname “alias” ) = “keypass”.
- Distinguish name parameters in uppercase letters, please!
- In lowercase letters, '-dname “cn=Common Name, ou=Organisational Unit o=Organisation, c=DE” results in “Owner: CN=Common Name, OU=Organisational Unit o=Organisation, C=DE”.
- Typical file extions for keystores are ”.jks”, ”.key”, ”.keystore”.
- However the website “MIT App Inventor” just accepts keystores with file extension ”.keystore”.
- With “MIT App Inventor” , if you try to load a keystore with file extension ”.jks” ( which is loaded properly if named with the file extension ”.keystore” ), refuses by the error message “The selected file is not a keystore!”.
- Changing the password of a key is rejected by the error message “keytool error: java.lang.UnsupportedOperationException: -keypasswd commands not supported if -storetype is PKCS12”.
-
- Changing Keystore's password or alias password doesn't affect the way it is used to generate the signed apk.
- The usage of keytool might have changed in the past years. What worked for me was:
- To change the password of an alias inside a store:
keytool -keypasswd -keystore pathToKeystoreFile -alias yourAlias -keypass oldAliasPassword -storepass oldStorePassword -new newAliasPassword
- To change the password of your keystore file:
keytool -storepasswd -keystore pathToKeystoreFile -storepass oldStorePassword -new newStorePassword
- You should not include your password in the command because it'll be written to your command history (~/.bash_history).
# Change the key password keytool -keypasswd -alias "your_key_alias" -keystore "key_filename.key" # Change the keystore password keytool -storepasswd -keystore "key_filename.key"
- StackOverflow "How long is validity of app signing key when I 'Let Google create and manage my app signing key'?" - “Certificates created by Google have a validity of 30 years”.
- ”-validity 9125” = 25 years.
- ”-validity 10000” ( MIT App Inventor ).
- ”-validity 10950” - 30 years.
PEPK
PEPK Help Screen
USAGE:
java -jar pepk.jar
--keystore <release_keystore>
--alias <key_alias>
--output=<output_file>
(--rsa-aes-encryption --encryption-key-path=</path/to/encryption_public_key.pem> | --encryptionkey=<encryption_key_hex>)
[--signing-keystore <keystore> [--signing-key-alias=<alias>]]
[--include-cert]
pepk (Play Encrypt Private Key) is a tool for exporting private keys from a
Java Keystore and encrypting them for transfer to Google Play as part of
enrolling in App Signing by Google Play.
REQUIRED FLAGS
--keystore Path to the keystore containing the private key to export.
--alias Alias of the private key in the keystore.
--output File in which to output the encrypted private key.
OPTIONAL FLAGS
--keystore-pass Password for the keystore. If not set, will be prompted on
the command line.
--key-pass Password for the key inside the keystore. If not set, the
same password as the keystore will be used, or if none was
set, it will be prompted on the command line.
--signing-keystore Path to the keystore containing the private key that will
be used for signing the exported encrypted private key.
--signing-key-alias Alias of the private key used for signing in the
signing Keystore. Must be specified if --signing-keystore
flag is set.
--rsa-aes-encryption Use RSA AES Key Wrap encryption for encrypting the
private key.
--encryption-key-path Path to the PEM-encoded public key to be used for
encrypting the private key. Must be specified if
--rsa-aes-encryption is set.
--encryptionkey Public key to encrypt the private key with. This will be
the hex encoded bytes of the public key. The public key
is a 4-byte identity followed by a 64-byte P256 point.
Must be specified if --rsa-aes-encryption is not set.
--include-cert Include the public certificate to be exported along with
the encrypted private key.
OTHER OPTIONS
--help Show this usage page and exit.
--license Show the license for the tool and exit.
Documentation
- Github "yongjhih / pepk / README.md" - “PEPK - Play Encrypt Private Key”.
When this document changes ! Site Navigation ( My Business ! My Topics ! Imprint / Contact ! Privacy Policy ! Keyword Index ! Google+ Author "Rolf Hemmerling" ! Google+ Publisher "hemmerling" )