eas submit — The Android App Bundle was signed with the wrong key

I already tried to reset my keystore with the Google Team

When I try to use submit my android app to the Google Play Store I encounter an error

eas submit --platform=android --latest

[!] Google Api Error: Invalid request - The Android App Bundle was signed with the wrong key.
  • Expo Server SHA1 F4:C7
  • Google Play SHA1 54:D9

Whether you are bare or managed workflow
Using eas-cli for android

Your eas-cli version

❯ eas --version
eas-cli/2.1.0 darwin-arm64 node-v16.13.1

What you have tried so far

  1. Downloading upload_cert.der file from Google Play

The SHA-1 certificate fingerprint starts with 54:D9
Good news! that’s the one expected with eas submit

I download a upload_cert.der

  1. I converted my .cer certificate to .jks —because I don’t know what to do with this .cer file
keytool -importcert -file "upload_cert.der" -keystore myKeystore.jks -alias "com.organisation.project"
  1. Using the UI to change the certificate

I have an error

Invalid JKS Keystore: Invalid keystore format

I have no idea how to solve the problem

I just realized that

So, you can’t convert a certificate to a keystore: you add a certificate to a keystone.


Now, I am even more confused because I already asked the google team to reset my key :sweat_smile:

I followed these instructions, after having downloaded my .jks file from expo server

// email from Google 

Here’s how to generate and register a new upload key:

Follow the instructions in the  Android Studio Help Center  to generate a new key. It must be different from any previous keys. Alternatively, you can use the following command line to generate a new key:

keytool -genkeypair -alias upload -keyalg RSA -keysize 2048 -validity 9125 -keystore keystore.jks

This key must be a 2048 bit RSA key and have 25-year validity.

Export the certificate for that key to PEM format:
keytool -export -rfc -alias upload -file upload_certificate.pem -keystore keystore.jks

Reply to this email and attach the  `upload_certificate.pem`  file.

Hi @flexbox

I’m not sure what you need to do exactly, but a certificate is just the signed public key, basically. You also need the private key so that you can sign the app. I’m not sure where you get the private key from if Google has reset it.

I see that under the section where you downloaded the cert it says:

If you have lost your upload key, please contact our support team.

I believe that is what you will need to do.

If that’s what you have already done, then what did they require of you? I assume they would have asked you for the certificate and you should still have the corresponding key.

Just making eas submit --platform=android --latest happy :grimacing:

Indeed, I have the original .jks file but Google asked to send a .pem file.
I followed their instructions.

keytool -export -rfc -alias upload -file upload_certificate.pem -keystore keystore-from-expo.jks

But I still have a miss match
found SHA1 F4:C7
expected SHA1 54:D9

That is why I tried to “transform” .der file —from the Play Store— to a .jks file to upload to expo.
But it’s not possible according to Stackoverflow.

I don’t know what to try next :sob:

Sure :slight_smile: I meant that I am not sure what is wrong/what you need to do to fix the problem.

OK. How did you fetch the keystore from Expo? And are you using EAS Build or the classic build system? (I believe these have potentially different keystores if your app was migrated from the classic build system to EAS Build.)

Maybe verify that the SHA1 checksums for the key/cert match what Google is saying they’re getting?

Just downloaded with eas credentials

I took another approach

1, create the .jks file from my computer

keytool -genkeypair -alias upload -keyalg RSA -keysize 2048 -validity 9125 -keystore new-from-localhost.jks
keytool -export -rfc -alias upload -file new-from-localhost-upload_certificate.pem -keystore new-from-localhost.jks
  1. sends new-from-localhost-upload_certificate.pem to the Google team and ask a reset

:hourglass_flowing_sand: wait until it’s approved

  1. Manually upload new-from-localhost.jks file to the expo credentials dashboard

Manually creating a .jks file does not work

I have the same problem as before

If I download a working keystore from expo.dev and then run:

keytool -list -keystore @wodin__xxx-keystore.bak.jks

I get the following:

> Enter keystore password:
> Keystore type: JKS
> Keystore provider: SUN
> Your keystore contains 1 entry
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx, 13 Feb 2022, PrivateKeyEntry,
> Certificate fingerprint (SHA-256): 84:79:0E:E6:FF:18:14:F6:E5:48:F2:1C:EA:5E:6C:A5:F7:D1:3D:E9:BD:56:8E:A5:18:F9:94:39:84:AB:73:0E
> Warning:
> The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore @wodin__deps-keystore.bak.jks -destkeystore @wodin__xxx-keystore.bak.jks -deststoretype pkcs12".

So it seems it’s stored in “JKS” format rather than “PKCS12” format.

What format is your keystore in? And if it is in “PKCS12” format, does it make any difference if you convert it to “JKS” format?

keytool -importkeystore -srckeystore new-from-localhost.jks -destkeystore converted.jks -deststoretype jks
1 Like

I ran

keytool -list -v -keystore new-from-localhost.jks

And got

Enter keystore password:
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: upload
Creation date: 29 Sep 2022
Entry type: PrivateKeyEntry
Certificate chain length: 1
Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Serial number: 204a8b97
Valid from: Thu Sep 29 17:44:48 CEST 2022 until: Mon Sep 23 17:44:48 CEST 2047
Certificate fingerprints:
	 SHA1: C3:E7:8D:6F:09:E0:74:4D:C1:DE:C5:5A:8E:39:CC:1B:XX:XX:XX:XX
	 SHA256: 69:E5:67:96:5E:A1:4D:BD:7C:E6:4D:9A:B9:B5:63:B1:F3:99:1A:06:8F:71:C8:A0:A1:75:28:XX:XX:XX:XX:XX
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

It seems yes, here is the output

I successfully uploaded it to Expo —with the web UI

After that, I ran :

keytool -export -rfc -alias upload -file new-from-localhost-converted-upload_certificate.pem -keystore converted.jks

to get another new-from-localhost-converted-upload_certificate.pem

And sent the key to Google

:hourglass_flowing_sand: Now let’s wait couple of days :sweat_smile:

The cert is still the same. You should not have had to send it to Google again.

One thing I am suspicious of:
Your Subject and Issuer are filled with “Unknown” which seems unlikely to be right. Normally, for an SSL/TLS certificate (which I am more familiar with) these would contain the host name, organisational unit, organisation, city, province/state and country. But maybe it’s fine like that, because after all, Expo doesn’t ask for that info when creating certs automatically.


It’s finally working now :rocket:


inspecting my file with keytool -list -v -keystore new-from-localhost.jks

Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown

Doesn’t change anything.

Thank you so much @wodin for helping me during this process you are a legend!

1 Like

haha :slight_smile: thanks. I’m glad I could help

This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.