build:android failed in task :app:packageRelease (attempting to build 64-bit bundle using new keys generated by `expo opt-in-google-play-signing` process)

This app has been published to Google Play previously, but I’m trying to let Google manage and protect my app signing key, so I ran expo opt-in-google-play-signing and followed the instructions to add the ‘signing’ key and the ‘uploading’ key to the Google Play Console.

In an attempt to publish a bundle which includes a 64-bit version of the app, I build using the expo build:android -c -t app-bundle --release-channel prod-v1.0.5 command and get the following error:

Task :app:packageRelease FAILED
[stderr] FAILURE: Build failed with an exception.
[stderr] * What went wrong:
[stderr] Execution failed for task ‘:app:packageRelease’.
[stderr] > com.android.ide.common.signing.KeytoolException: Failed to read key QHZuYS92bmEtbWVhbHMtb24td2hlZWxz from store “/tmp/turtle/keystore-430730fe-4381-4990-a97a-ff95c4728da6.jks”: Get Key failed: Given final block not properly padded
[stderr] * Try:
[stderr] Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output. Run with --scan to get full insights.
[stderr] * Get more help at https://help.gradle.org
[stderr] BUILD FAILED in 4m 2s
28 actionable tasks: 28 executed
Error: ./gradlew exited with non-zero code: 1
at ChildProcess.completionListener (/app/turtle/node_modules/@expo/xdl/node_modules/@expo/spawn-async/build/spawnAsync.js:52:23)
at Object.onceWrapper (events.js:317:30)
at emitTwo (events.js:126:13)
at ChildProcess.emit (events.js:214:7)
at maybeClose (internal/child_process.js:915:16)
at Process.ChildProcess._handle.onexit (internal/child_process.js:209:5)

at spawnAsync (/app/turtle/node_modules/@expo/xdl/node_modules/@expo/spawn-async/build/spawnAsync.js:17:21)
at spawnAsyncThrowError (/app/turtle/node_modules/@expo/xdl/build/detach/ExponentTools.js:169:43)
at buildShellAppAsync (/app/turtle/node_modules/@expo/xdl/build/detach/AndroidShellApp.js:697:11)
at < anonymous>

Build ID: 430730fe-4381-4990-a97a-ff95c4728da6
Expo Diagnostics:

Expo CLI 3.0.6 environment info:
System:
OS: Linux 4.4 Ubuntu 18.04.1 LTS (Bionic Beaver)
Shell: 4.4.19 - /bin/bash
Binaries:
Node: 10.16.1 - ~/.nvm/versions/node/v10.16.1/bin/node
Yarn: 1.15.2 - /usr/bin/yarn
npm: 6.9.0 - ~/.nvm/versions/node/v10.16.1/bin/npm
npmPackages:
expo: ^33.0.0 => 33.0.7
react: 16.8.3 => 16.8.3
react-native: https://github.com/expo/react-native/archive/sdk-33.0.0.tar.gz => 0.59.8
react-navigation: ^2.16.0 => 2.18.0
npmGlobalPackages:
expo-cli: 3.0.6

This was such a stupid process. We went through the whole expo opt-in-google-play-signing process and thankfully we thought to hang onto the .jks.bak file and the details that Expo spat out when opting into Google Play signing. Expo suggested that it should delete the cert from their servers given that I’d confirmed that Google Play signing was turned on.

Then we ran into the exact issue above. Builds were failing because Expo couldn’t find the cert. Derp. So we ran expo build:android --clear-credentials -t app-bundle just to get builds working again. We let Expo generate its own cert because we didn’t think it mattered. When we tried to push this to Google Play we got the error:

[!] Google Api Error: apkNotificationMessageKeyBundleSignedWithWrongKey: The Android App Bundle was signed with the wrong key. Found: SHA1: 43:4A:06:DB:…, expected: SHA1: CA:94:83:B8:…

So we ran keytool -list -v -keystore app_sign.jks.bak -alias QGNoYXJnZWZ to check the fingerprint of the .jks.bak file that Expo spat out. Lo and behold it’s the exact cert that we still need to be signing our builds with.

So we ran another build with --clear-credentials and uploaded that cert back to Expo’s servers and everything works again now.

Hang onto that backup keystore!

4 Likes

Can you run expo fetch:android:hashes and verify that displayed values match ones presen in app signing page on play console?

@camurphy
Based on your description I suspect that you didn’t follow all the steps mentioned in instructions. There were two files that should be uploaded to play console private signing key from old keystore and public cert from new one. The second file is optional on google play, but it’s required when runing expo opt-in-google-play-signing. If I’m right about that you have the same fingerprint for app signing cert and for upload cert on app signing page on play console.

@wkozyra: Yes. My SHA-1 hash result from that command matches the Upload certificate’s SHA-1 certificate fingerprint, in the Google Play Console.

What now?

1 Like

I suspect that keystore got mangled somehow, can you run those commands to make sure that this is the case?

expo fetch:android:upload-cert

keytool -importkeystore -srckeystore identity.jks -srcstorepass storepassword -srckeypass keypassword -srcalias notebook -destalias notebook -destkeystore identity.p12 -deststoretype PKCS12 -deststorepass password -destkeypass password

Those commands are not intended to do anything, but might provide clearer error or confirm the issue with a Keystore, expo fetch:android:keystore will display necessary credentials.

If Keystore is invalid run expo build:android -c and contact support team to reset your password, you will need to send them the output of expo fetch:android:upload-cert, but run this after running build with -c flag.

2 Likes

Thanks, @wkozyra! I ran the commands you asked and got no errors.

$keytool -importkeystore -srckeystore vna-meals-on-wheels.jks -srcstorepass <obfuscated> -srckeypass <obfuscated> -srcalias QHZuYS92bmEtbWVhbHMtb24td2hlZWxz -destalias QHZuYS92bmEtbWVhbHMtb24td2hlZWxz -destkeystore vna-meals-on-
wheels.p12 -deststoretype PKCS12 -deststorepass <obfuscated> -destkeypass <obfuscated>
Importing keystore vna-meals-on-wheels.jks to vna-meals-on-wheels.p12...
Warning:  Different store and key passwords not supported for PKCS12 KeyStores. Ignoring user-specified -destkeypass value.
Warning:  Different store and key passwords not supported for PKCS12 KeyStores. Ignoring user-specified -srckeypass value.
$ls -l *.p12
-rwxrwxrwx 1 thargenediad thargenediad 2651 Aug  5 07:38 vna-meals-on-wheels.p12

Does that mean the keystore is valid?

When generating keystore during build expo is using keytool on our server, but when running opt-in-google-play-signing system keytool is used (it’s bundled with java SDK). For some reason, in your case it generated keystore in pkcs format instead of jks.

!!! Backup current credentials before doing next step
Run this command to convert it to jks(MY_FILE.p12 should be path to current jks file)

keytool -importkeystore -srckeystore [MY_FILE.p12] -srcstoretype pkcs12
 -srcalias [ALIAS_SRC] -destkeystore [MY_KEYSTORE.jks]
 -deststoretype jks -deststorepass [PASSWORD_JKS]  -destkeypass [PASSWORD_KEY] -destalias [ALIAS_DEST]

run build:android -c and specify keystore and all the credentials manualy

2 Likes

@camurphy

This was such a stupid process. We went through the whole expo opt-in-google-play-signing process and thankfully we thought to hang onto the .jks.bak file and the details that Expo spat out when opting into Google Play signing. Expo suggested that it should delete the cert from their servers given that I’d confirmed that Google Play signing was turned on.

Then we ran into the exact issue above. Builds were failing because Expo couldn’t find the cert. Derp. So we ran expo build:android --clear-credentials -t app-bundle just to get builds working again. We let Expo generate its own cert because we didn’t think it mattered. When we tried to push this to Google Play we got the error:

[!] Google Api Error: apkNotificationMessageKeyBundleSignedWithWrongKey: The Android App Bundle was signed with the wrong key. Found: SHA1: 43:4A:06:DB:…, expected: SHA1: CA:94:83:B8:…

So we ran keytool -list -v -keystore app_sign.jks.bak -alias QGNoYXJnZWZ to check the fingerprint of the .jks.bak file that Expo spat out. Lo and behold it’s the exact cert that we still need to be signing our builds with.

So we ran another build with --clear-credentials and uploaded that cert back to Expo’s servers and everything works again now.

Hang onto that backup keystore!

Did you upload the cert app_sign.jks path again and using -t app-bundle or apk?

@wkozyra It worked! Thank you! Thank you! Thank you! :hugs:

@wkozyra
Hmm, you’re right, I’ve ended up with matching App signing and Upload certificates :thinking:
I only remember uploading one private key to Google Play.
Should I request we swap out the Upload certificate?

I should also mention my first attempt at this process failed halfway through because I didn’t have a JDK. I had to run brew cask install java.

@iclinic-dev
I used -t app-bundle when updating the cert on Expo’s servers.

It’s not a huge issue, but slightly less secure. If you want to do that reset credentials with build:android -c and sent to support team output if expo fetch:android:upload-cert

Option on google play is not very visible (last optional step)

Right, yes. That’s very easy to miss.
Perhaps the output of the Expo tool should make a point about expanding the Optional step. At the moment it just says:

On the previously opened Google Play console page, upload /Users/cam/Source/app/app_private_sign_key as "APP SIGNING PRIVATE KEY" and /Users/cam/Source/app/app_upload_cert.pem as "UPLOAD KEY PUBLIC CERTIFICATE"

This still doesn’t help me understand why builds started failing after this process… surely app_upload_cert.pem was supposed to have been the new key that Expo builds were signed with? Instead builds were failing with

[stderr] Execution failed for task ':app:packageRelease'.
[stderr] > com.android.ide.common.signing.KeytoolException: Failed to read key QGNoYXJnZWZveC9jaGFyZ2Vmb3g= from store "/tmp/turtle/keystore-e8cd1f55-aa3d-4024-a8f3-a16711b4b065.jks": Get Key failed: Given final block not properly padded

Seems like opt-in-google-play-signing process doesn’t install the new upload keystore properly.

Those two issues were unrelated, keytool on some system generated pkcs keystore instead of jks. When running --clear-credentials keystore is generated on our servers, when running opt command it’s using system one.

For signing there is used par of keys app_upload_cert.pem is public key (it’s used to verify the signature) and a private key is used to create a signature. jks and pkcs are formats/containers that store these key pairs.

1 Like

I had the same issue.
I went through the whole process of expo opt-in-google-play-signing. I did upload both certificates to Google Play Console. After that I tried to build and it failed with the same error on task ‘:app:packageRelease’. Then I ran build with --clear-credentials and manually added keystore that was generated during expo opt-in-google-play-signing. That fixed build. For now it works when I upload apk build to Google Play Console. But it doesn’t work for aab build. Google Play Console says that I use wrong key for signing the bundle.
@wkozyra Do you have any clue what’s wrong in my case? I’m using sdk 33

Only file that is left after process is old keystore, you can verify that by running expo fetch:android:hashes, output should match upload keystore in google play console and in your case it probably matching app signing keystore. If I’m right about that run build:android -c, let expo generate new credentials and ask google support team to reset you password, you will need .pem file generated by expo fetch:android:upload-cert (run this after clearing credentials)

1 Like

This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.